System Center Configuration Manager Protect Data and Infrastructure PDF

Table of Contents
Understand and explore

Overview
Back up sites
Recover sites
Unattended site recovery
High availability options
Manage high-risk deployments
Plan and design
Certificate profile prerequisites
Certificate template permissions for certificate profiles
Certificate profile security and privacy
Plan for Endpoint Protection
Plan for email, Wi-Fi, and VPN profiles
Email profile prerequisites
Wi-Fi and VPN profile prerequisites
Security and privacy for Wi-Fi and VPN profiles
Security and privacy for email profiles
Security and privacy for certificate profiles
Deploy and use
VPN profiles
Create VPN profiles
Find a package family name (PFN) for per-app VPN
Wi-Fi Profiles
Create Wi-Fi profiles
Certificate profiles
Create certificate profiles
Configuring certificate infrastructure
Cryptographic controls technical reference
Endpoint Protection
Configure Endpoint Protection
Windows Firewall policies
Windows Defender Advanced Threat Protection
Create and deploy Exploit Guard policy
Create and deploy Application Guard policy
Antimalware and firewall tasks
Endpoint Protection scenario
Endpoint Protection client help
Troubleshooting client
Windows Defender FAQ
Device Guard settings
Deploy Wi-Fi, VPN, email, and certificate profiles
Windows Hello for Business settings
Terms and Conditions settings
Monitor protection
Monitor Wi-Fi, email and VPN profiles
Monitor certificate profiles
Monitor Endpoint Protection
Protect data and site infrastructure with System
Center Configuration Manager
4/30/2018 • 1 min to read • Edit Online
Applies to: System Center Configuration Manager (Current Branch)

You want your users to be able to securely access your organization's resources, so that both your infrastructure
and your data are protected from exposure or malicious attack. The information in these topics describes how to
use System Center Configuration Manager (also known as ConfigMgr or SCCM ) to enable that access and how to
help protect your organization's resources.
You can minimize your users' efforts to connect to corporate resources by enabling VPN connectivity using
VPN profiles. Learn more in VPN profiles in System Center Configuration Manager.
Wi-Fi profiles in provide a set of tools and resources to help you create, deploy, and monitor wireless
network settings to devices in your organization. By deploying these settings, you minimize the effort that
end users require to connect to corporate wireless networks. Learn more in Wi-Fi Profiles in System Center
Configuration Manager.
Certificate profiles in System Center Configuration Manager describes how to provision your users' devices
with the certificates they need to connect to company resources.
System Center Endpoint Protection lets you manage antimalware policies and Windows Firewall security
for client computers.
You can use conditional access to help secure email and other services on devices that are enrolled with
Microsoft Intune, as described in Manage access to services in System Center Configuration Manager.
Email profiles provide a set of tools and resources to help you create, deploy and monitor email settings on
devices. This enables users to access corporate email on their personal devices without any required setup
on their part. Learn more in Email profiles in System Center Configuration Manager.
Configuration Manager lets you integrate with Windows Hello for Business (formerly Microsoft Passport
for Work) which is an alternative sign-in method that uses Active Directory, or an Azure Active Directory
account to replace a password, smart card, or virtual smart card. Learn more in Windows Hello for Business
settings in System Center Configuration Manager.
Back up a Configuration Manager site

Prepare backup and recovery approaches to avoid data loss. For Configuration Manager sites, a backup and
recovery approach can help you to recover sites and hierarchies more quickly, and with the least data loss.
The sections in this topic can help you back up your sites. To recover a site, see Recovery for Configuration
Manager.
Considerations before creating a backup

If you use a SQL Server Always On availability group to host the site database: Modify your backup
and recovery plans as described in Prepare to use SQL Server Always On.
Configuration Manager can recover the site database from the Configuration Manager backup maintenance
task or from a site database backup that you create with another process.
For example, you can restore the site database from a backup that is created as part of a Microsoft SQL
Server maintenance plan. You can also use a backup that is created by Using Data Protection Manager to
back up your site database (DPM ).
Using Data Protection Manager to back up your site database
You can use System Center 2012 Data Protection Manager (DPM ) to back up your site database.
You must create a new protection group in DPM for the site database computer. On the Select Group Members
page of the Create New Protection Group Wizard, you select the SMS Writer service from the data source list, and
then select the site database as an appropriate member. For more information about using DPM to back up your
site database, see the Data Protection Manager Documentation Library on TechNet.
IMPORTANT
Configuration Manager does not support DPM back up for a SQL Server cluster that uses a named instance, but does
support DPM back up on a SQL Server cluster that uses the default instance of SQL Server.
After you restore the site database, follow the steps in Setup to recover the site. Select the Use a site database
that has been manually recovered recovery option to use the site database that you recovered with Data
Protection Manager.
Backup maintenance task

You can automate backup for Configuration Manager sites by scheduling the predefined Backup Site Server
maintenance task. This task:
Runs on a schedule
Backs up the site database
Backs up specific registry keys
Backs up specific folders and files
Backs up the CD.Latest folder
Plan to run the default site backup task at a minimum of every 5 days. This is because Configuration Manager uses
a SQL Server change tracking retention period of 5 days. (See SQL Server change tracking retention period in the
Recover sites topic.)
To simplify the backup process, you can create an AfterBackup.bat file to perform post-backup actions
automatically after the backup maintenance task runs successfully. The AfterBackup.bat file is usually used to
archive the backup snapshot to a secure location. You can also use the AfterBackup.bat file to copy files to your
backup folder and start other, supplemental backup tasks.
You can back up a central administration site and primary site, but there is no backup support for secondary sites
or site system servers.
When the Configuration Manager backup service runs, it follows the instructions defined in the backup control file
(<ConfigMgrInstallationFolder>\Inboxes\Smsbkup.box\Smsbkup.ctl). You can modify the backup control
file to change the behavior of the backup service.
Site backup status information is written to the Smsbkup.log file. This file is created in the destination folder that
you specify in the Backup Site Server maintenance task properties.
To enable the site backup maintenance task
1. In the Configuration Manager console, open Administration > Site Configuration > Sites.
2. Select the site in which you want to enable the site backup maintenance task.
3. On the Home tab, in the Settings group, choose Site Maintenance Tasks.
4. Choose Backup Site Server > Edit.
5. Choose Enable this task > Set Paths to specify the backup destination. You have the following options:
IMPORTANT
To help prevent tampering of the backup files, store the files in a secure location. The most secure backup path is to a
local drive, so you can set NTFS file system permissions on the folder. Configuration Manager does not encrypt the
backup data that is stored in the backup path.
Local drive on site server for site data and database: Specifies that the backup files for the site
and site database are stored in the specified path on the local disk drive of the site server. You must
create the local folder before the backup task runs. The Local System account on the site server must
have Write NTFS file system permissions to the local folder for the site server backup. The Local
System account on the computer that is running SQL Server must have Write NTFS permissions to
the folder for the site database backup.
Network path (UNC name) for site data and database: Specifies that the backup files for the site
and site database are stored in the specified UNC path. You must create the share before the backup
task runs. The computer account of the site server and the computer account of the SQL Server, if
SQL Server is installed on another computer, must have Write NTFS and share permissions to the
shared network folder.
Local drives on site server and SQL Server: Specifies that the backup files for the site are stored in
the specified path on the local drive of the site server, and the backup files for the site database are
stored in the specified path on the local drive of the site database server. You must create the local
folders before the backup task runs. The computer account of the site server must have Write NTFS
permissions to the folder that you create on the site server. The computer account of the SQL Server
must have Write NTFS permissions to the folder that you create on the site database server. This
option is available only when the site database is not installed on the site server.
NOTE
The option to browse to the backup destination is only available when you specify the UNC path of the backup
destination.
The folder name or share name that is used for the backup destination does not support the use of Unicode
characters.
6. Configure a schedule for the site backup task. As a best practice, consider a backup schedule that is outside
active working hours. If you have a hierarchy, consider a schedule that runs at least two times a week to
ensure maximum data retention in the event of site failure.
When you run the Configuration Manager console on the same site server that you are configuring for
backup, the Backup Site Server maintenance task uses local time for the schedule. When the Configuration
Manager console is run from a computer remote from the site that you are configuring for backup, the
Backup Site Server maintenance task uses UTC for the schedule.
7. Choose whether to create an alert if the site backup task fails, click OK, and then click OK. When selected,
Configuration Manager creates a critical alert for the backup failure that you can review in the Alerts node
in the Monitoring workspace.
Next, verify that the Backup Site Server maintenance task is running, to ensure that backups are being
created.
To verify that the Backup Site Server maintenance task is running
Verify that the Site Backup maintenance task is running by reviewing any of the following:
Check the timestamp on the files in the backup destination folder that the task created. Verify that the
timestamp has been updated with a time that matches the time when the task was last scheduled to run.
In the Component Status node in the Monitoring workspace, review the status messages for
SMS_SITE_BACKUP. When site backup is completed successfully, you see message ID 5035, which indicates
that the site backup was completed without any errors.
When the Backup Site Server maintenance task is configured to create an alert if backup fails, you can check
the Alerts node in the Monitoring workspace for backup failures.
In <ConfigMgrInstallationFolder>\Logs, review Smsbkup.log for warnings and errors. When site backup is
completed successfully, you see Backup completed with a timestamp and message ID STATMSG: ID=5035 .
TIP
When the backup maintenance task fails, you can restart the backup task by stopping and restarting the
SMS_SITE_BACKUP service.
Archive the backup snapshot

The first time the Backup Site Server maintenance task runs, it creates a backup snapshot, which you can use to
recover your site server in case of a failure. When the backup task runs again during subsequent cycles, it creates a
new backup snapshot that overwrites the previous snapshot. As a result, the site has only a single backup snapshot,
and you have no way of retrieving an earlier backup snapshot.
As a best practice, keep multiple archives of the backup snapshot for the following reasons:
It is common for backup media to fail, get misplaced, or contain only a partial backup. Recovering a failed
stand-alone primary site from an older backup is better than recovering without any backup. For a site
server in a hierarchy, the backup must be in the SQL Server change tracking retention period, or the backup
is not required.
A corruption in the site can go undetected for several backup cycles. You might have to use a backup
snapshot from before the site became corrupted. This applies to a stand-alone primary site and to sites in a
hierarchy where the backup is in the SQL Server change tracking retention period.
The site might have no backup snapshot at all if, for example, the Backup Site Server maintenance task fails.
Because the backup task removes the previous backup snapshot before it starts to back up the current data,
there will not be a valid backup snapshot.
Using the AfterBackup.bat file

After successfully backing up the site, the Backup Site Server task automatically attempts to run a file that is named
AfterBackup.bat. You must manually create the AfterBackup.bat file in
<ConfigMgrInstallationFolder>\Inboxes\Smsbkup. If an AfterBackup.bat file exists, and is stored in the correct
folder, it automatically runs after the backup task is completed.
The AfterBackup.bat file lets you archive the backup snapshot at the end of every backup operation, and
automatically perform other post-backup tasks that are not part of the Backup Site Server maintenance task. The
AfterBackup.bat file integrates the archive and the backup operations, thereby ensuring that every new backup
snapshot is archived.
When the AfterBackup.bat file is not present, the backup task skips it without effect on the backup operation. To
verify that the site backup task successfully ran the AfterBackup.bat file, see the Component Status node in the
Monitoring workspace and review the status messages for SMS_SITE_BACKUP. When the task successfully
started the AfterBackup.bat command file, you see message ID 5040.
TIP
To create the AfterBackup.bat file to archive your site server backup files, you must use a copy command tool, like Robocopy,
in the batch file. For example, you could create the AfterBackup.bat file, and on the first line, you could add something like:
Robocopy E:\ConfigMgr_Backup \\ServerName\ShareName\ConfigMgr_Backup /MIR
Although the intended use of the AfterBackup.bat is to archive backup snapshots, you can create an
AfterBackup.bat file to perform additional tasks at the end of every backup operation.
Supplemental backup tasks

The Backup Site Server maintenance task provides a backup snapshot for the site server files and site database, but
there are other items not backed up that you must consider when you create your backup strategy. Use the
following sections to help you complete your Configuration Manager backup strategy.
Back up custom Reporting Services reports
When you have modified predefined or created custom Reporting Services reports, creating a backup for the
report server database files is an important part of your backup strategy. The report server backup must include a
backup of the source files for reports and models, encryption keys, custom assemblies or extensions, configuration
files, custom SQL Server views used in custom reports, custom stored procedures, and so on.
IMPORTANT
When Configuration Manager updates to a newer version, the predefined reports might be overwritten by new reports. If
you modify a predefined report, back up the report, and then restore it in Reporting Services.
For more information about backing up your custom reports in Reporting Services, see Backup and Restore
Operations for a Reporting Services Installation in the SQL Server 2014 Books Online.
Back up content files
The content library in Configuration Manager is the location where all content files are stored for software updates,
applications, operating system deployment, and so on. The content library is located on the site server and on each
distribution point. The Backup Site Server maintenance task does not include a backup for the content library or
the package source files. When a site server fails, the information about the content library files is restored to the
site database, but you must restore the content library and package source files on the site server.
Content library: The content library must be restored before you can redistribute content to distribution
points. When you start content redistribution, Configuration Manager copies the files from the content
library on the site server to the distribution points. The content library for the site server is in the
SCCMContentLib folder, which is typically located on the drive with the most free disk space at the time
when the site was installed.
Package source files: The package source files must be restored before you can update content on
distribution points. When you start a content update, Configuration Manager copies new or modified files
from the package source to the content library, which in turn copies the files to associated distribution
points. You can run the following query in SQL Server to find the package source location for all packages
and applications: SELECT * FROM v_Package . You can identify the package source site by looking at the first
three characters of the package ID. For example, if the package ID is CEN00001, the site code for the source
site is CEN. When you restore the package source files, they must be restored to the same location where
they were before the failure.
Verify that you include both the content library and package source locations in your file system backup for
the site server.
Back up custom software updates
System Center Updates Publisher 2011 is a stand-alone tool that lets you publish custom software updates to
Windows Server Update Services (WSUS ), synchronize the software updates to Configuration Manager, assess
software updates compliance, and deploy the custom software updates to clients. Updates Publisher uses a local
database for its software update repository. When you use Updates Publisher to manage custom software updates,
determine whether you should include the Updates Publisher database in your backup plan. For more information
about Updates Publisher, see System Center Updates Publisher 2011 in the System Center TechCenter Library.
Use the following procedure to back up the Updates Publisher database.
To back up the Updates Publisher 2011 database
1. On the computer that runs Updates Publisher, browse to the Updates Publisher database file (Scupdb.sdf ) in
%USERPROFILE%\AppData\Local\Microsoft\System Center Updates Publisher 2011\5.00.1727.0000\.
There is a different database file for each user that runs Updates Publisher.
2. Copy the database file to your backup destination. For example, if your backup destination is
E:\ConfigMgr_Backup, you could copy the Updates Publisher database file to
E:\ConfigMgr_Backup\SCUP2011.
TIP
When there is more than one database file on a computer, consider storing the file in a subfolder that indicates the
user profile associated with the database file. For example, you could have one database file in
E:\ConfigMgr_Backup\SCUP2011\User1 and another database file in E:\ConfigMgr_Backup\SCUP2011\User2.
User state migration data

You can use Configuration Manager task sequences to capture and restore the user state data in operating system
deployment scenarios where you want to retain the user state of the current operating system. The folders that
store the user state data are listed in the properties for the state migration point. This user state migration data is
not backed up as part of the Site Server Backup maintenance task. As part of your backup plan, you must manually
back up the folders that you specify to store the user state migration data.
To determine the folders used to store user state migration data
1. In the Configuration Manager console, click Administration.
2. In the Administration workspace, expand Site Configuration, and choose Servers and Site System
Roles.
3. Select the site system that hosts the state migration role, and choose State migration point in Site
System Roles.
4. On the Site Role tab, in the Properties group, click Properties.
5. The folders that store the user state migration data are listed in the Folder details section on the General tab.
About the SMS Writer service

The SMS Writer is a service that interacts with the Volume Shadow Copy Service (VSS ) during the backup
process. The SMS Writer service must be running for the Configuration Manager site back up to successfully
complete.
Purpose
SMS Writer registers with the VSS service and binds to its interfaces and events. When VSS broadcasts events, or
if it sends specific notifications to the SMS Writer, the SMS Writer responds to the notification and takes the
appropriate action. The SMS Writer reads the backup control file (smsbkup.ctl), located in the <ConfigMgr
Installation Path>\inboxes\smsbkup.box, and determines the files and data that is to be backed up. The SMS
Writer builds metadata, which consists of various components, based on this information as well as specific data
from the SMS registry key and subkeys. It sends the metadata to VSS when it is requested. VSS then sends the
metadata to the requesting application; Configuration Manager Backup Manager. Backup Manager selects the data
that gets backed up and sends this data to the SMS Writer via VSS. The SMS Writer takes the appropriate steps to
prepare for the backup. Later, when VSS is ready to take the snapshot, it sends an event, the SMS Writer stops all
Configuration Manager services and ensures that the Configuration Manager activities are frozen while the
snapshot is created. After the snapshot is complete, the SMS Writer restarts services and activities.
The SMS Writer service is installed automatically. It must be running when the VSS application requests a backup
or restore.
Writer ID
The writer ID for the SMS Writer is: 03ba67dd-dc6d-4729-a038-251f7018463b.
Permissions
The SMS Writer service must run under the Local System account.
Volume Shadow Copy service
The VSS is a set of COM APIs that implements a framework to allow volume backups to be performed while
applications on a system continue to write to the volumes. The VSS provides a consistent interface that allows
coordination between user applications that update data on disk (the SMS Writer service) and those that back up
applications (the Backup Manager service). For more information, see the Volume Shadow Copy Service topic in
the Windows Server TechCenter.
Next steps
After you create a backup, practice site recovery with that backup. This can help you become familiar with the
recovery process before you need to rely on it and can help confirm the backup was successful for its intended
purpose.
Recover a Configuration Manager site

Run a Configuration Manager site recovery after a Configuration Manager site fails or data loss occurs in the site
database. Repairing and resynchronizing data are the core tasks of a site recovery and are required to prevent
interruption of operations.
The sections in this topic can help you recover a Configuration Manager site. To create a backup, see Backup for
Considerations before recovering a site

IMPORTANT
This information applies only to site recovery scenarios. When you are upgrading your on-premises infrastructure and not
actively recovering a failed site, review the information in the following topics:
Upgrade on-premises infrastructure
Modify your infrastructure
You must use the same version and edition of SQL Server: For example, restoring a database that ran on SQL
Server 2014 to SQL Server 2016 is not supported. Similarly, restoring a site database that ran on a Standard
edition of SQL Server 2016 to an Enterprise edition of SQL Server 2016 is not supported.
SQL Server must not be set to single-user mode.
Ensure the .MDF and .LDF files are valid. When you recover a site, there is no check for the state of the files you
are restoring.
If you use a SQL Server Always On availability group to host the site database: Modify your recovery plans
as described in Prepare to use SQL Server Always On.
When you use database replicas: After you restore a site database that was configured for database replicas,
before you can use the database replicas you must reconfigure each database replica, recreating both the
publications and subscriptions.
Determine your recovery options

There are two main areas to consider for Configuration Manager primary site server and central administration
site recovery; the site server and the site database. The following sections can help you select the best options for
your recovery scenario.
NOTE
When Setup detects an existing Configuration Manager site on the server, you can start a site recovery, but the recovery
options for the site server are limited. For example, if you run Setup on an existing site server, when you choose recovery, you
can recover the site database server, but the option to recover the site server is disabled.
Site server recovery options

Start Setup from a copy of the CD.Latest folder that you created outside of the Configuration Manager installation
folder.
If you run Configuration Manager Setup from the Start menu on the site server, the Recover a site option is
not available.
If you installed any updates from within the Configuration Manager console before you made your backup, you
cannot successfully reinstall the site by using Setup from installation media or the Configuration Manager
installation path.
Then select the Recover a site option. You have the following recovery options for the failed site server:
Recover the site server using an existing backup: Use this option when you have a backup of the
Configuration Manager site server that was created on the site server as part of the Backup Site Server
maintenance task before the site failure. The site is reinstalled, and the site settings are configured, based on the
site that was backed up.
Reinstall the site server: Use this option when you do not have a backup of the site server. The site server is
reinstalled, and you must specify the site settings, just as you would during an initial installation.
You must use the same site code and site database name that you used when the failed site was first
installed.
You can reinstall the site on a new computer that runs a new operating system.
The computer must use the same name, FQDN, of the original site server.
Site database recovery options
When you run Setup, you have the following recovery options for the site database:
Recover the site database using a backup set: Use this option when you have a backup of the
Configuration Manager site database that was created as part of the Backup Site Server maintenance task
run on the site before the site database failure. When you have a hierarchy, the changes that were made to
the site database after the last site database backup are retrieved from the central administration site for a
primary site, or from a reference primary site for a central administration site. When you recover the site
database for a stand-alone primary site, you lose site changes after the last backup.
When you recover the site database for a site in a hierarchy, the recovery behavior is different for a central
administration site and primary site, and when the last backup is inside or outside of the SQL Server change
tracking retention period. For more information, see the Site database recovery scenarios section in this
topic.
NOTE
The recovery fails if you select to restore the site database by using a backup set, but the site database already exists.
Create a new database for this site: Use this option when you do not have a backup of the Configuration
Manager site database. When you have a hierarchy, a new site database is created, and the data is recovered
by using replicated data from the central administration site for a primary site, or a reference primary site
for a central administration site. This option is not available when you are recovering a stand-alone primary
site or a central administration site that does not have primary sites.
Use a site database that has been manually recovered: Use this option when you have already
recovered the Configuration Manager site database but must complete the recovery process.
Configuration Manager can recover the site database from the Configuration Manager backup
maintenance task or from a site database backup that you perform by using DPM or another process.
After you restore the site database by using a method outside Configuration Manager, you must run
Setup and select this option to complete the site database recovery.
NOTE
When you use DPM to back up your site database, use the DPM procedures to restore the site database to a
specified location before you continue the restore process in Configuration Manager. For more information about
DPM, see the on TechNet.
Data Protection Manager Documentation Library
When you have a hierarchy, the changes that were made to the site database after the last site database
backup are retrieved from the central administration site for a primary site, or from a reference primary
site for a central administration site. When you recover the site database for a stand-alone primary site,
you lose site changes after the last backup.
Skip database recovery: Use this option when no data loss has occurred on the Configuration Manager
site database server. This option is only valid when the site database is on a different computer than the site
server that you are recovering.
SQL Server change tracking retention period
Change tracking is enabled for the site database in SQL Server. Change tracking lets Configuration Manager query
for information about the changes that have been made to database tables after a previous point in time. The
retention period specifies how long change tracking information is retained. By default, the site database is
configured to have a retention period of 5 days. When you recover a site database, the recovery process proceeds
differently if your backup is inside or outside the retention period. For example, if your site database server fails,
and your last backup is 7 days old, it is outside the retention period.
For more information about SQL Server change tracking internals, see the following blogs from the SQL Server
team: Change Tracking Cleanup - part 1 and Change Tracking Cleanup - part 2.
Reinitialization of site or global data
The process to reinitialize site or global data replaces existing data in the site database with data from another site
database. For example, when site ABC reinitializes data from site XYZ, the following steps occur:
The data is copied from site XYZ to site ABC.
The existing data for site XYZ is removed from the site database on site ABC.
The copied data from site XYZ is inserted into the site database for site ABC.
Example scenario 1
The primary site reinitializes the global data from the central administration site: The recovery process
removes the existing global data for the primary site in the primary site database and replaces the data with the
global data copied from the central administration site.
Example scenario 2
The central administration site reinitializes the site data from a primary site: The recovery process removes
the existing site data for that primary site in the central administration site database and replaces the data with the
site data copied from the primary site. The site data for other primary sites is not affected.
Site database recovery scenarios
After a site database is restored from a backup, the Configuration Manager attempts to restore the changes in site
and global data after the last database backup. The following describe the actions that Configuration Manager
starts after a site database is restored from backup.
Recovered site is a central administration site:
Database backup within change tracking retention period
Global data: The changes in global data after the backup are replicated from all primary sites.
Site data: The changes in site data after the backup are replicated from all primary sites.
Database backup older than change tracking retention period
Global data: The central administration site reinitializes the global data from the reference primary site
if you specify it. Then all other primary sites reinitialize the global data from the central administration
site. If no reference site is specified, all primary sites reinitialize the global data from the central
administration site (the data that was restored from backup).
Site data: The central administration site reinitializes the site data from each primary site.
Recovered site is a primary site:
Database backup within change tracking retention period
Global data: The changes in global data after the backup are replicated from the central administration
site.
Site data: The central administration site reinitializes the site data from the primary site. Changes after
the backup are lost, but most data are regenerated by clients that send information to the primary site.
Database backup older than change tracking retention period
Global data: The primary site reinitializes the global data from the central administration site.
Site data: The central administration site reinitializes the site data from the primary site. Changes after
the backup are lost, but most data are regenerated by clients that send information to the primary site.
Site recovery procedures

Use one of the following procedures to help you recover your site server and site database.
To start a site recovery in the Setup Wizard
1. Copy the CD.Latest folder to a location outside the Configuration Manager Installation folder. From the copy
of the CD.Latest folder, run the Configuration Manager Setup Wizard.
2. On the Getting Started page, select Recover a site, and then click Next.
3. Complete the wizard by using the options that are appropriate for your site recovery.
During the recovery, Setup identifies the SQL Server Service Broker (SSB ) port used by the SQL
Server. Do not change this port setting during recovery or data replication will not work properly
after the recovery completes.
You can specify the original, or a new path to use for the Configuration Manager installation in the
Setup Wizard.
To start an unattended site recovery
1. Prepare the unattended installation script for the options that you require for the site recovery. See
Unattended site recovery script file keys.
2. Run Configuration Manager Setup by using the command /script option. For example, if you named your
setup initialization file ConfigMgrUnattend.ini and saved it in the C:\Temp directory of the computer on
which you are running Setup, the command would be as follows: Setup /script
C:\temp\ConfigMgrUnattend.ini.
NOTE
After you recover a central administration site, replication of some site data from child sites can fail to be established.
This can include hardware inventory, software inventory, and status messages.
If this occurs, you must reinitialize the ConfigMgrDRSSiteQueue for database replication. To do so, use SQL Server
Manager to run the following query on the Configuration Manager site database on the central administration site:
IF EXISTS (SELECT * FROM sys.service_queues WHERE name = 'ConfigMgrDRSSiteQueue' AND
is_receive_enabled = 0)
ALTER QUEUE [dbo].[ConfigMgrDRSSiteQueue] WITH STATUS = ON
Post-recovery tasks
After you recover your site, there are several post-recovery tasks that you must consider before your site recovery
is completed. Use the following sections to help you complete your site recovery process.
Re -enter user account passwords
After a site server recovery, passwords for the user accounts specified for the site must be re-entered because they
are reset during the site recovery. The accounts are listed on the Finished page of the Setup Wizard after site
recovery is completed and saved to C:\ConfigMgrPostRecoveryActions.html on the recovered site server.
To re-enter user account passwords after site recovery
1. Open the Configuration Manager console and connect to the recovered site.
3. In the Administration workspace, expand Security, and then click Accounts.
4. For each account in which you re-enter the password, do the following:
a. Select the account from the list of accounts that were identified after site recovery. You can find this
list in C:\ConfigMgrPostRecoveryActions.html on the recovered site server.
b. On the Home tab, in the Properties group, click Properties to open the account properties.
c. On the General tab, click Set, and then re-enter the passwords for the account.
d. Click Verify, select the appropriate data source for the selected user account, and then click Test
connection to verify that the user account can connect to the data source.
e. Click OK to save the password changes, and then click OK.
Re -enter sideloading keys
After a site server recovery, you must re-enter Windows sideloading keys specified for the site because they are
reset during site recovery. After you re-enter the sideloading keys, the count in the Activations used column for
Windows sideloading keys is reset in the Configuration Manager console. For example, let's say before the site
failure you have a Total activations count set to 100 and Activations used is at 90 for the number of the keys
that have been used by devices. After the site recovery, the Total activations column still displays 100, but the
Activations used column incorrectly displays 0. However, after 10 new devices use a sideloading key, there will be
no remaining sideloading keys, and the next device will fail to apply a sideloading key.
Recreate the Microsoft Intune subscription
If you recover a Configuration Manager site server after the site server computer is re-imaged, the Microsoft
Intune subscription is not restored. You must reconnect your subscription after you recover the site. Do not create a
new APN -request, but instead upload the current valid .pem-file that was uploaded the last time iOS management
was configured or renewed. For more information, see Configuring the Microsoft Intune subscription.
Configure SSL for site system roles that use IIS
When you recover site systems that run IIS and that were configured for HTTPS before the failure, you must
reconfigure IIS to use the web server certificate.
Reinstall hotfixes in the recovered site server
After a site recovery, you must reinstall any hotfixes that were applied to the site server. View the list of the
previously installed hotfixes on the Finished page of the Setup Wizard after site recovery. This list is also saved to
C:\ConfigMgrPostRecoveryActions.html on the recovered site server.
Recover custom reports on the computer running Reporting Services
When you have created custom Reporting Services reports, and Reporting Services fails, you can recover the
reports when you have backed up the report server. For more information about restoring your custom reports in
Reporting Services, see Backup and Restore Operations for a Reporting Services Installation in the SQL Server
2008 Books Online.
Recover content files
The site database contains information about where the content files are stored on the site server, but the content
files are not backed up or restored as part of the backup and recovery process. To fully recover content files, you
must restore the content library and package source files to the original location. There are several methods for
recovering your content files, but the easiest method is to restore the files from a file system backup of the site
server.
If you do not have a file system backup for the package source files, you must manually copy or download them as
you did originally when you first created the package. You can run the following query in SQL Server to find the
package source location for all packages and applications: SELECT * FROM v_Package . You can identify the package
source site by looking at the first three characters of the package ID. For example, if the package ID is CEN00001,
the site code for the source site is CEN. When you restore the package source files, they must be restored to the
same location in which they were before the failure.
If you do not have a file system backup that contains the content library, you have the following restore options:
Import a prestaged content file: When you have a Configuration Manager hierarchy, you can create a
prestaged content file with all packages and applications from another location, and then import the
prestaged content file to recover the content library on the site server.
Update content: When you start the update content action for a package or application deployment type,
the content is copied from the package source to the content library. The package source files must be
available in the original location for this action to finish successfully. You must perform this action on each
package and application.
Recover custom software updates on the computer running Updates Publisher
When you have included Updates Publisher database files in your backup plan, you can recover the databases in
case of a failure on the computer on which Updates Publisher runs. For more information about Updates Publisher,
see System Center Updates Publisher 2011 in the System Center TechCenter Library.
Use the following procedure to restore the Updates Publisher database.
To restore the Updates Publisher 2011 database
1. Reinstall Updates Publisher on the recovered computer.
2. Copy the database file (Scupdb.sdf ) from your backup destination to
%USERPROFILE%\AppData\Local\Microsoft\System Center Updates Publisher 2011\5.00.1727.0000\ on
the computer that runs Updates Publisher.
3. When more than one user runs Updates Publisher on the computer, you must copy each database file to the
appropriate user profile location.
User State Migration data
As part of the state migration point site system properties, you specify the folders that store user state migration
data. After you recover a server with a folder that stores user state migration data, you must manually restore the
user state migration data on the server to the same folders that stored the data prior to the failure.
Regenerate the certificates for distribution points
After you restore a site, the distmgr.log might contain the following entry for one or more distribution points:
Failed to decrypt cert PFX data. This entry indicates that the distribution point certificate data cannot be
decrypted by the site. To resolve this, you must regenerate or re-import the certificate for affected distribution
points. This can be done by using the Set-CMDistributionPoint PowerShell cmdlet.
Update Certificates Used for Cloud-Based distribution points
Configuration Manager requires a management certificate that it uses for site server to cloud-based distribution
point communication. After a site recovery, you must update the certificates for cloud-based distribution points.
Recover a secondary site

Configuration Manager does not support the backup of the database at a secondary site, but does support
recovery by reinstalling the secondary site. Secondary site recovery is required when a Configuration Manager
secondary site fails.
Requirements for reinstalling a secondary site
The computer must meet all secondary site prerequisites and have appropriate security rights configured.
You must use the same installation path that was used for the failed site.
You must use a computer with the same configuration as the failed computer, such as its FQDN, to successfully
recover the secondary site.
The computer must have the same SQL Server configuration as the failed site.
During a secondary site recovery, Configuration Manager does not install SQL Server Express if it is not
already installed on the computer.
You must use the same version of SQL Server and the same instance of SQL Server that you used for
the secondary site database before the failure.
To recover a secondary site:
To recover a secondary site, use the Recover Secondary Site action from the Sites node in the Configuration
Manager console. Unlike recovery for a central administration site or primary site, recovery for a secondary site
does not use a backup file and instead reinstalls the secondary site files on the failed secondary site computer. After
the site reinstalls, the secondary site data is reinitialized with data from the parent primary site.
During the recovery process, Configuration Manager verifies if the content library exists on the secondary site
computer and that the appropriate content is available. The secondary site will use the existing content library, if it
contains the appropriate content. Otherwise, to recover the content library of a recovered secondary site requires
you to redistribute or prestage the content to that recovered site.
When you have a distribution point that is not on the secondary site, you are not required to reinstall the
distribution point during a recovery of the secondary site. After the secondary site recovery, the site automatically
synchronizes with the distribution point.
You can verify the status of the secondary site recovery, by using the Show Install Status action from the Sites
node in the Configuration Manager console.
Unattended site recovery for Configuration Manager

To perform an unattended recovery of a Configuration Manager central administration site or primary site, you can
create an unattended installation script and then use setup with the /script command option. The script provides
the same type of information that the setup wizard prompts for, except that there are no default settings. All values
must be specified for the setup keys that apply to the type of recovery you are using.
To use the /script setup command-line option, you must create an initialization file. Then specify this file name after
the /script option. The name of the file is unimportant as long as it has the .ini file name extension. When you
reference the setup initialization file from the command line, you must provide the full path to the file. For example,
if your setup initialization file is named setup.ini, and it is stored in the C:\setup folder, your command line would
be:
setup /script c:\setup\setup.ini
IMPORTANT
You must have Administrator rights to run setup. When you run setup with the unattended script, start the command
prompt in an Administrator context by using Run as administrator.
The script contains section names, key names, and values. Required section key names vary depending on the
recovery type that you are scripting. The order of the keys within sections, and the order of sections within the file,
is not important. The keys are not case-sensitive. When you provide values for keys, the name of the key must be
followed by an equals sign (=) and the value for the key.
Use the following sections to help you to create your script for unattended site recovery. The tables list the
available setup script keys, their corresponding values, whether they are required, which type of installation they
are used for, and a short description for the key.
Recover a central administration site unattended

Use the following information to configure an unattended setup script file to recover a central administration site.
Identification
Key name: Action
Required: Yes
Values: RecoverCCAR
Details: Recovers a central administration site
Key Name: CDLatest
Required: Yes – Only when using media from the CD.Latest folder.
Values: 1 Any value other than 1 is considered to not be using CD.Latest.
Details: Your script must include this key and value when you run setup from media in a CD.Latest
folder for the purpose of installing a primary or central administration site, or recovering a primary or
central administration site. This value informs setup that media form CD.Latest is being used.
RecoveryOptions
Key name: ServerRecoveryOptions
Required: Yes
Values: 1, 2, or 4
1 = Recovery site server and SQL Server.
2 = Recover site server only.
4 = Recover SQL Server only.
Details: Specifies whether setup recovers the site server, SQL Server, or both. The associated keys
are required when you set the following value for the ServerRecoveryOptions setting:
Value = 1 You have the option to specify a value for the SiteServerBackupLocation key to
recover the site by using a site backup. If you do not specify a value, the site is reinstalled
without restoring it from a backup set.
The BackupLocation key is required when you configure a value of 10 for the
DatabaseRecoveryOptions key, which is to restore the site database from backup.
Value = 4 The BackupLocation key is required when you configure a value of 10 for the
Key name: DatabaseRecoveryOptions
Required: Maybe
Values:
10 = Restore the site database from backup.
20 = Use a site database that has been manually recovered by using another method.
40 = Create a new database for the site. Use this option when there is no site database backup
available. Global and site data is recovered through replication from other sites.
80 = skip database recovery.
Details: Specifies how setup recovers the site database in SQL Server. This key is required when the
ServerRecoveryOptions setting has a value of 1 or 4.
Key name: ReferenceSite
Required: Maybe
Values: <ReferenceSiteFQDN>
Details: Specifies the reference primary site. If the database backup is older than the change tracking
retention period, or you recover the site without a backup, the central administration site uses the
reference site to recover global data.
When you do not specify a reference site, and the backup is older than the change tracking retention
period, all primary sites are reinitialized with the restored data from the central administration site.
When you do not specify a reference site, and the backup is within the change tracking retention
period, only changes since the backup are replicated from primary sites. When there are conflicting
changes from different primary sites, the central administration site uses the first one that it receives.
This key is required when the DatabaseRecoveryOptions setting has a value of 40.
Key name: SiteServerBackupLocation
Required: No
Values: <PathToSiteServerBackupSet>
Details: Specifies the path to the site server backup set. This key is optional when the
ServerRecoveryOptions setting has a value of 1 or 2. Specify a value for the
SiteServerBackupLocation key to recover the site by using a site backup. If you do not specify a value,
the site is reinstalled without restoring it from a backup set.
Key name: BackupLocation
Required: Maybe
Values: <PathToSiteDatabaseBackupSet>
Details: Specifies the path to the site database backup set. The BackupLocation key is required when
you configure a value of 1 or 4 for the ServerRecoveryOptions key, and configure a value of 10 for the
DatabaseRecoveryOptions key.
Options
Key name: ProductID
Required: Yes
Values:
xxxxx-xxxxx-xxxxx-xxxxx-xxxxx
Eval
Details: The Configuration Manager installation product key, including the dashes. Enter Eval can install
the evaluation version of Configuration Manager.
Key name: SiteCode
Required: Yes
Values: <Site code>
Details: Three alpha-numeric characters that uniquely identify the site in your hierarchy. Specify the site
code that was used by the site before the failure.
Key name: SiteName
Required: Yes
Values: SiteName
Details: Description for this site.
Key name: SMSInstallDir
Required: Yes
Values: <ConfigMgrInstallationPath>
Details: Specifies the installation folder for the Configuration Manager program files. > [!NOTE ]
> You can specify the original path or a new path to use for the Configuration Manager installation.
Key name: SDKServer
Required: Yes
Values: <FQDN of SMS Provider>
Details: Specifies the FQDN for the server that hosts the SMS Provider. Specify the server that
hosted the SMS Provider before the failure.
You can configure additional SMS Providers for the site after the initial installation.
Key name: PrerequisiteComp
Required: Yes
Values: 0 or 1
0 = download
1 = already downloaded
Details: Specifies whether setup prerequisite files have already been downloaded. For example, if you
use a value of 0, setup downloads the files.
Key name: PrerequisitePath
Required: Yes
Values: <PathToSetupPrerequisiteFiles>
Details: Specifies the path to the setup prerequisite files. Depending on the PrerequisiteComp value,
setup uses this path to store downloaded files or to locate previously downloaded files.
Key name: AdminConsole
Required: Maybe
Values: 0 or 1 0 = do not install
1 = install
Details: Specifies whether to install the Configuration Manager console. This key is required except
when the ServerRecoveryOptions setting has a value of 4.
Key name: JoinCEIP
NOTE
Starting in Configuration Manager version 1802 the CEIP feature is removed from the product.
Required: Yes
Values: 0 or 1
0 = do not join
1 = join
Details: Specifies whether to join the Customer Experience Improvement Program.
SQLConfigOptions
Key name: SQLServerName
Required: Yes
Values: <SQLServerName>
Details: The name of the server, or clustered instance name, running SQL Server that hosts the site
database. Specify the same server that hosted the site database before the failure.
Key name: DatabaseName
Required: Yes
Values: <SiteDatabaseName> or <InstanceName>\<SiteDatabaseName>
Details: The name of the SQL Server database to create or use to install the central administration
site database. Specify the same database name that was used before the failure.
IMPORTANT
If you do not use the default instance, you must specify the instance name and site database name.
Key name: SQLSSBPort

Required: No
Values: <SSBPortNumber>
Details: Specify the SQL Server Service Broker (SSB ) port used by SQL Server. Typically, SSB is
configured to use TCP port 4022, but other ports are supported. Specify the same SSB port that was
used before the failure.
Recover a Primary Site Unattended

Use the following information to configure an unattended setup script file to recover a central administration site.
Identification
Key name: Action
Required: Yes
Values: RecoverPrimarySite
Details: Recovers a primary site
Key Name: CDLatest
Required: Yes – Only when using media from the CD.Latest folder.
Values: 1 Any value other than 1 is considered to not be using CD.Latest.
Details: Your script must include this key and value when you run setup from media in a CD.Latest
folder for the purpose of installing a primary or central administration site, or recovering a primary or
central administration site. This value informs setup that media form CD.Latest is being used.
RecoveryOptions
Key name: ServerRecoveryOptions
Required: Yes
Values: 1, 2, or 4
1 = Recovery site server and SQL Server.
2 = Recover site server only.
4 = Recover SQL Server only.
Details: Specifies whether setup recovers the site server, SQL Server, or both. The associated keys
are required when you set the following value for the ServerRecoveryOptions setting:
The BackupLocation key is required when you configure a value of 10 for the
Value = 4 The BackupLocation key is required when you configure a value of 10 for the
Key name: DatabaseRecoveryOptions
Required: Maybe
Values:
10 = Restore the site database from backup.
20 = Use a site database that has been manually recovered by using another method.
40 = Create a new database for the site. Use this option when there is no site database backup
available. Global and site data is recovered through replication from other sites.
80 = skip database recovery.
Details: Specifies how setup recovers the site database in SQL Server. This key is required when the
ServerRecoveryOptions setting has a value of 1 or 4.
Key name: SiteServerBackupLocation
Required: No
Values: <PathToSiteServerBackupSet>
Details: Specifies the path to the site server backup set. This key is optional when the
ServerRecoveryOptions setting has a value of 1 or 2. Specify a value for the
SiteServerBackupLocation key to recover the site by using a site backup. If you do not specify a value,
the site is reinstalled without restoring it from a backup set.
Key name: BackupLocation
Required: Maybe
Values: <PathToSiteDatabaseBackupSet>
Details: Specifies the path to the site database backup set. The BackupLocation key is required when
you configure a value of 1 or 4 for the ServerRecoveryOptions key, and configure a value of 10 for the
DatabaseRecoveryOptions key.
Options
Key name: ProductID
Required: Yes
Values:
xxxxx-xxxxx-xxxxx-xxxxx-xxxxx
Eval
Details: The Configuration Manager installation product key, including the dashes. Enter Eval can install
the evaluation version of Configuration Manager.
Key name: SiteCode
Required: Yes
Values: <Site code>
Details: Three alpha-numeric characters that uniquely identify the site in your hierarchy. Specify the site
code that was used by the site before the failure.
Key name: SiteName
Required: Yes
Values: SiteName
Details: Description for this site.
Key name: SMSInstallDir
Required: Yes
Values: <ConfigMgrInstallationPath>
Details: Specifies the installation folder for the Configuration Manager program files.
NOTE
You can specify the original path or a new path to use for the Configuration Manager installation.
Key name: SDKServer

Required: Yes
Values: <FQDN of SMS Provider>
Details: Specifies the FQDN for the server that hosts the SMS Provider. Specify the server that
hosted the SMS Provider before the failure.
You can configure additional SMS Providers for the site after the initial installation.
Key name: PrerequisiteComp
Required: Yes
Values: 0 or 1
0 = download
1 = already downloaded
Details: Specifies whether setup prerequisite files have already been downloaded. For example, if you
use a value of 0, setup downloads the files.
Key name: PrerequisitePath
Required: Yes
Values: <PathToSetupPrerequisiteFiles>
Details: Specifies the path to the setup prerequisite files. Depending on the PrerequisiteComp value,
setup uses this path to store downloaded files or to locate previously downloaded files.
Key name: AdminConsole
Required: Maybe
Values: 0 or 1
0 = do not install
1 = install
Details: Specifies whether to install the Configuration Manager console. This key is required except
when the ServerRecoveryOptions setting has a value of 4.
Key name: JoinCEIP
NOTE
Starting in Configuration Manager version 1802 the CEIP feature is removed from the product.
Required: Yes
Values: 0 or 1
0 = do not join
1 = join
Details: Specifies whether to join the Customer Experience Improvement Program.
SQLConfigOptions
Key name: SQLServerName
Required: Yes
Values: <SQLServerName>
Details: The name of the server, or clustered instance name, running SQL Server that hosts the site
database. Specify the same server that hosted the site database before the failure.
Key name: DatabaseName
Required: Yes
Values: <SiteDatabaseName> or <InstanceName>\<SiteDatabaseName>
Details: The name of the SQL Server database to create or use to install the central administration
site database. Specify the same database name that was used before the failure.
IMPORTANT
If you do not use the default instance, you must specify the instance name and site database name.
Key name: SQLSSBPort

Required: No
Values: <SSBPortNumber>
Details: Specify the SQL Server Service Broker (SSB ) port used by SQL Server. Typically, SSB is
configured to use TCP port 4022, but other ports are supported. Specify the same SSB port that was
used before the failure.
Hierarchy ExpansionOption
Key name: CCARSiteServer
Required: Maybe
Values: <SiteCodeForCentralAdministrationSite>
Details: Specifies the central administration site that a primary site attaches to when it joins the
Configuration Manager hierarchy. This setting is required if the primary site was attached to a central
administration site before the failure. Specify the site code that was used for the central administration
site before the failure.
Key name: CASRetryInterval
Required: No
Values: <Interval>
Details: Specifies the retry interval (in minutes) to attempt a connection to the central administration site
after the connection fails. For example, if the connection to the central administration site fails, the
primary site waits the number of minutes that you specify for CASRetryInterval, and then reattempts the
connection.
Key name: WaitForCASTimeout
Required: No
Values: <Timeout>
Details: Specifies the maximum timeout value (in minutes) for a primary site to connect to the central
administration site. For example, if a primary site fails to connect to a central administration site, the
primary site retries the connection to the central administration site based on the CASRetryInterval until
the WaitForCASTimeout period is reached. You can specify a value of 0 to 100.
High availability options for System Center
Configuration Manager

You can deploy System Center Configuration Manager using options that maintain a high level of available service.
Options that support high availability:
Sites support multiple instances of site system servers that provide important services to clients.
Central administration sites and primary sites support the backup of the site database. The site database
contains all the configurations for sites and clients, and it is shared between sites in a hierarchy that contain
a central administration site.
Built-in site recovery options can reduce server downtime and include advanced options that simplify
recovery when you have a hierarchy with a central administration site.
Clients can automatically remediate typical issues without administrative intervention.
Sites generate alerts about clients that fail to submit recent data, which alerts administrators to potential
problems.
Configuration Manager provides several built-in reports that enable you to identify problems and trends
before they become problems for server or client operations.
Configuration Manager does not provide a real-time service and you must expect it to operate with some
data latency. Therefore, it is unusual for most scenarios that involve a temporary interruption of service to
become a critical problem. When you have configured your sites and hierarchies with high availability in
mind, downtime can be minimized, autonomy of operations maintained, and a high level of service
provided.
For example, Configuration Manager clients typically operate autonomously by using known schedules and
configurations for operations, and schedules to submit data to the site for processing.
When clients cannot contact the site, they cache data to be submitted until they can contact the site.
Clients that cannot contact the site continue to operate by using the last known schedules and cached
information, such as a previously downloaded application that they must run or install, until they can contact
the site and receive new policies.
The site monitors its site systems and clients for periodic status updates, and can generate alerts when these
fail to register.
Built-in reports provide insight to ongoing operations as well as historical operations and trends.
Configuration Manager also supports state-based messages that provide near real-time information for
ongoing operations.
Use the information in this topic with the information in the following articles:
Recommended hardware
Supported operating systems for site system serveres
Site and site system prerequisites
High availability for sites and hierarchies
Use a SQL Server cluster to host the site database:
When you use a SQL Server cluster for the database at a central administration site or primary site, you use the
fail-over support built into SQL Server.
Secondary sites cannot use a SQL Server cluster, and do not support backup or restoration of their site database.
Recover a secondary site by reinstalling the secondary site from its parent primary site.
Use a SQL Server AlwaysOn availability group to host the site database:
Beginning with version 1602, you can use SQL Server AlwaysOn availability groups to host the site database at
primary sites and the central administration site as a high-availability and disaster-recovery solution. For more
information, see SQL Server AlwaysOn for a highly available site database for System Center Configuration
Manager.
Deploy a hierarchy of sites with a central administration site, and one or more child primary sites:
This configuration can provide fault tolerance when your sites manage overlapping segments of your network. In
addition, this configuration offers an additional recovery option to use the information in the shared database
available at another site, to rebuild the site database at the recovered site. You can use this option to replace a failed
or unavailable backup of the failed site's database.
Create regular backups at central administration sites and primary sites:
When you create and test a regular site backup, you can ensure that you have the data necessary to recover a site,
and the experience to recover a site in the minimal amount of time.
Install multiple instances of site system roles:
When you install multiple instances of critical site system roles such as the management point and distribution
point, you provide redundant points of contact for clients in the event that a specific site system server is off-line.
Install multiple instances of the SMS Provider at a site: The SMS Provider provides the point of
administrative contact for one or more Configuration Manager consoles. When you install multiple SMS Providers,
you can provide redundancy for contact points to administer your site and hierarchy.
High availability for site system roles

At each site, you deploy site system roles to provide the services that you want clients to use at that site. The site
database contains the configuration information for the site and for all clients. Use one or more of the available
options to provide for high availability of the site database, and the recovery of the site and site database if needed.
Redundancy for important site system roles:
Application Catalog web service point
Application Catalog website point
Distribution point
Management point
Software update point
State migration point
You can install multiple instance of the Reporting services point role to provide redundancy for reporting on
sites and clients.
You can use PowerShell to install the Software update point site system role on a Windows Network Load
Balancing (NLB ) cluster to provide failover support
Built-in site backup:
Configuration Manager includes a built-in backup task to help you back up your site and critical information on a
regular schedule. Additionally, the Configuration Manager Setup wizard supports site restoration actions to help
you restore a site to operations.
Publishing to Active Directory Domain Services and DNS:
You can configure each site to publish data about site system servers and services to Active Directory Domain
Services and to DNS. This enables clients to identify the most accessible server on the network, and to identify
when new site system servers that can provide important services, such as management points, are available.
SMS Provider and Configuration Manager console:
Configuration Manager supports installing multiple SMS Providers, each on a separate computer, to ensure
multiple access points for the Configuration Manager console. This ensures that if one SMS Provider computer is
offline, you maintain the ability to view and reconfigure Configuration Manager sites and clients.
When a Configuration Manager console connects to a site, it connects to an instance of the SMS Provider at that
site. The instance of the SMS Provider is selected nondeterministically. If the selected SMS Provider is not
available, you have the following options:
Reconnect the console to the site. Each new connection request is nondeterministically assigned an instance
of the SMS Provider and it is possible that the new connection will be assigned an available instance.
Connect the console to a different Configuration Manager site and manage the configuration from that
connection. This introduces a slight delay of configuration changes of no more than a few minutes. After the
SMS Provider for the site is on-line, you can reconnect your Configuration Manager console directly to the
site that you want to manage.
You can install the Configuration Manager console on multiple computers for use by administrative users.
Each SMS Provider supports connections from multiple Configuration Manager consoles.
Management point:
Install multiple management points at each primary site, and enable the sites to publish site data to your
Active Directory infrastructure, and to DNS.
Multiple management points help to load-balance the use of any single management point by multiple
clients. In addition, you can install one or more database replicas for management points to decrease the
CPU -intensive operations of the management point, and to increase the availability of this critical site
system role.
Because you can install only one management point in a secondary site, which must be located on the
secondary site server, management points at secondary sites are not considered to have a highly available
configuration.
NOTE
Devices managed by on-premises mobile device management connect to only one management point at a primary site. The
management point is assigned by Configuration Manager to the mobile device during enrollment and then does not change.
When you install multiple management points and enable more than one for mobile devices, the management point that is
assigned to a mobile device client is non-deterministic.
If the management point that a mobile device client uses becomes unavailable, you must resolve the problem with that
management point or wipe the mobile device and re-enroll the mobile device so that it can be assigned to an operational
management point that is enabled for mobile devices.
Distribution point:
Install multiple distribution points, and deploy content to multiple distribution points. You can configure
overlapping boundary groups for content location to ensure that clients on each subnet can access a deployment
from two or more distribution points. Finally, consider configuring one or more distribution points as fallback
locations for content.
For more information about fallback locations for content, see Manage content and content infrastructure for
System Center Configuration Manager.
Application Catalog web service point and Application Catalog website point:
You can install multiple instances of each site system role, and for best performance, deploy one of each on the
same site system computer.
Each Application Catalog site system role provides the same information as other instances of that site system role
regardless of the location of this site server role in the hierarchy. Therefore, when a client makes a request for the
Application Catalog and you have configured the Default Application Catalog website point device client setting for
Automatically detect, the client can be directed to an available instance. Preference is given to local Application
Catalog site system servers, based on the current network location of the client.
For more information about this client setting and how automatic detection works, see the Computer Agent section
in the About client settings in System Center Configuration Manager topic.
High availability for clients

Client operations are autonomous:
Configuration Manager client autonomy includes the following:
Clients do not require continuous contact with any specific site system servers. They use known
configurations to perform preconfigured actions on a schedule.
Clients can use any available instance of a site system role that provides services to clients, and they will
attempt to contact known servers until an available server is located.
Clients can run inventory, software deployments, and similar scheduled actions independent of direct
contact with site system servers.
Clients that are configured to use a fallback status point can submit details to the fallback status point when
they cannot communicate with a management point.
Clients can repair themselves:
Clients automatically remediate most typical issues without direct administrative intervention:
Periodically, clients self-evaluate their status and take action to remediate typical problems by using a local
cache of remediation steps and source files for repairs.
When a client fails to submit status information to its site, the site can generate an alert. Administrative
users that receive these alerts can take immediate action to restore the normal operation of the client.
Clients cache information to use in the future:
When a client communicates with a management point, the client can obtain and cache the following
information:
Client settings.
Client schedules.
Information about software deployments and a download of the software the client is scheduled to install,
when the deployment is configured for this action.
When a client cannot contact a management point the clients locally cache the status, state, and client
information they report to the site, and transfer this data after they establish contact with a management
point.
Client can submit status to a fallback status point:
When you configure a client to use a fallback status point, you provide an additional point of contact for the
client to submit important details about its operation. Clients that are configured to use a fallback status
point continue to send status about their operations to that site system role even when the client cannot
communicate with a management point.
Central management of client data and client identity:
The site database, rather than the individual client, retains important information about each client’s identity,
and associates that data to a specific computer, or user. This means:
The client source files on a computer can be uninstalled and reinstalled without affecting the historical
records for the computer where the client is installed.
Failure of a client computer does not affect the integrity of the information that is stored in the database.
This information can remain available for reporting.
Options for sites and site system roles that are not highly available
Several site systems do not support multiple instances at a site or in the hierarchy. This information can help you
prepare for these site systems going off-line.
Site server (site):
Configuration Manager does not support the installation of the site server for each site on a Windows Server
cluster or NLB cluster.
The following information can help you prepare for when a site server fails or is not operational:
Use the built-in backup task to regularly create a backup of the site. In a test environment, regularly practice
restoring sites from a backup.
Deploy multiple Configuration Manager primary sites in a hierarchy with a central administration site to
create redundancy. If you experience a site failure, consider using Windows group policy or logon scripts to
reassign clients to a functional site.
If you have a hierarchy with a central administration site, you can recover the central administration site or a
child primary site by using the option to recover a site database from another site in your hierarchy.
Secondary sites cannot be restored, and must be reinstalled.
Asset Intelligence synchronization point (hierarchy):
This site system role is not considered mission critical and provides optional functionality in Configuration
Manager. If this site system goes offline, use one of the following options:
Resolve the reason for the site system to be off-line.
Uninstall the role from the current server, and install the role on a new server.
Endpoint Protection point (hierarchy):
Enrollment point (site):
Enrollment proxy point (site):
Manager. However, you can install multiple instances of this site system role at a site, and at multiple sites in
the hierarchy. If this site system goes offline, use one of the following options:
When you have more than one enrollment proxy server in a site, use a DNS alias for the server name. When
you use this configuration, DNS round robin provides some fault tolerance and load balancing for when
users enroll their mobile devices.
Fallback status point (site or hierarchy) :
Uninstall the role from the current server, and install the role on a new server. Because clients are assigned
the fallback status point during client installation, you will need to modify existing clients to use the new site
system server.
See also
Supported configurations for System Center Configuration Manager
Settings to manage high-risk deployments for System

With System Center Configuration Manager you can configure site settings that will warn admins if they create a
high-risk task sequence deployment. A high-risk deployment is:
A deployment that is automatically installed
Has the potential to cause unwanted results
For example, a task sequence that has a purpose of Required that deploys an operating system is
considered high-risk.
To reduce the risk of an unwanted high-risk deployment, you can configure size limits in these deployment
verification settings:
Collection size limits: Hide collections that contain more clients than your limit when you create a
deployment.
Default size: This setting hides collections, by default, with more clients than your limit when you
create a deployment. You can still see these collections when creating the deployment, but they are
hidden by default. The default value is 100. Enter a value of 0 to ignore this setting.
Maximum size: This setting always hides collections with more clients than your limit when you
create a deployment. The default value is 0, which ignores this setting. The Maximum size value
must be greater than the Default size value.
For example, you set Default size to 100 and the Maximum size to 1000. When you create a high
risk deployment, the Select Collection window will only display collections that contain fewer than
100 clients. If you clear the Hide collections with a member count greater than the siteâ€™s
minimum size configuration setting, the window will display collections that contain fewer than
1000 clients.
Collections with site system servers: Block deployments, or require verification before creating the
deployment, when the target collection contains a computer with a site system role. When a deployment is
blocked, you must select a different collection that meets the deployment verification criteria.
NOTE
High-risk deployments are always limited to custom collections, collections that you create, and the built-in Unknown
Computers collection. When you create a high-risk deployment, you cannot select a built-in collection such as All Systems.
To configure deployment verification for a site

1. In the Configuration Manager console, choose Administration >Site Configuration > Sites, and then
select the primary site to configure.
2. On the Home tab, in the Properties group, choose Properties, and then choose the Deployment
Verification tab.
3. After setting configurations you want to use, choose OK to save the configuration.
See also
Configure sites and hierarchies for System Center Configuration Manager
Prerequisites for certificate profiles in System Center

Certificate profiles in System Center Configuration Manager have external dependencies and dependencies in the
product.
Dependencies External to Configuration Manager

DEPENDENCY MORE INFORMATION
An enterprise issuing certification authority (CA) that is For more information about Active Directory Certificate
running Active Directory Certificate Services (AD CS). Services, see your Windows Server documentation.
To revoke certificates the computer account of the site server For Windows Server 2012: Active Directory Certificate Services
at the top of the hierarchy requires Issue and Manage Overview
Certificates rights for each certificate template used by a
certificate profile in Configuration Manager. Alternatively, For Windows Server 2008: Active Directory Certificate Services
grant Certificate Manager permissions to grant permissions in Windows Server 2008
on all certificate templates used by that CA
Manager approval for certificate requests is supported.

However, the certificate templates that are used to issue
certificates must be configured for Supply in the request for
the certificate subject so that System Center Configuration
Manager can automatically supply this value.
Use the PowerShell script to verify, and if needed, install the The instruction file, readme_crp.txt, is located in
prerequisites for the Network Device Enrollment Service ConfigMgrInstallDir\cd.latest\SMSSETUP\POLICYMODULE\X6
(NDES) role service and the Configuration Manager Certificate 4.
Registration Point.
The PowerShell script, Test-NDES-CRP-Prereqs.ps1, is in the
same directory as the instructions.
The PowerShell script must be run locally on the NDES server.

The Network Device Enrollment Service (NDES) role service for System Center Configuration Manager communicates with the
Active Directory Certificate Services, running on Windows Network Device Enrollment Service in Windows Server 2012
Server 2012 R2. R2 to generate and verify Simple Certificate Enrollment
Protocol (SCEP) requests.
In addition:
If you will issue certificates to users or devices that connect
Port numbers other than TCP 443 (for HTTPS) or TCP 80 (for from the Internet, such as mobile devices that are managed by
HTTP) are not supported for the communication between the Microsoft Intune, those devices must be able to access the
client and the Network Device Enrollment Service. server that runs the Network Device Enrollment Service from
the Internet. For example, install the server in a perimeter
The server that is running the Network Device Enrollment network (also known as a DMZ, demilitarized zone, and
Service must be on a different server from the issuing CA. screened subnet).
If you have a firewall between the server that is running the

Network Device Enrollment Service and the issuing CA, you
must configure the firewall to allow the communication traffic
(DCOM) between the two servers. This firewall requirement
also applies to the server running the System Center
Configuration Manager site server and the issuing CA, so that
System Center Configuration Manager can revoke certificates.
If the Network Device Enrollment Service is configured to

require SSL, a security best practice is to make sure that
connecting devices can access the certificate revocation list
(CRL) to validate the server certificate.
For more information about the Network Device Enrollment

Service in Windows Server 2012 R2, see Using a Policy Module
with the Network Device Enrollment Service.
If the issuing CA runs Windows Server 2008 R2, this server If the hotfix is not already installed on the issuing CA
requires a hotfix for SCEP renewal requests. computer, install the hotfix. For more information, see article
2483564: Renewal request for an SCEP certificate fails in
Windows Server 2008 R2 if the certificate is managed by using
NDES in the Microsoft Knowledge Base.
A PKI client authentication certificate and exported root CA This certificate authenticates the server that is running the
certificate. Network Device Enrollment Service to System Center
For more information, see PKI certificate requirements for

Supported device operating systems. You can deploy certificate profiles to devices that run iOS,
Windows 8.1, Windows RT 8.1, Windows 10, and Android
operating systems.
Configuration Manager Dependencies

Certificate registration point site system role Before you can use certificate profiles, you must install the
certificate registration point site system role. This role
communicates with the System Center Configuration Manager
database, the System Center Configuration Manager site
server, and the System Center Configuration Manager Policy
Module.
For more information about system requirements for this site

system role and where to install the role in the hierarchy, see
the Site System Requirements section in the Supported
configurations for System Center Configuration Manager
article.
The certificate registration point must not be installed on the

same server that runs the Network Device Enrollment Service.
System Center Configuration Manager Policy Module that is To deploy certificate profiles, you must install the System
installed on the server that is running the Network Device Center Configuration Manager Policy Module. You can find
Enrollment Service role service for Active Directory Certificate this policy module on the System Center Configuration
Services Manager installation media.
Discovery data Values for the certificate subject and the subject alternative
name are supplied by System Center Configuration Manager
and retrieved from information that is collected from
discovery:
For user certificates: Active Directory User Discovery
For computer certificates: Active Directory System Discovery

and Network Discovery
Specific security permissions to manage certificate profiles You must have the following security permissions to manage
company resource access settings, such as certificate profiles,
Wi-Fi profiles, and VPN profiles:
To view and manage alerts and reports for certificate profiles:

Create, Delete, Modify, Modify Report, Read, and Run
Report for the Alerts object.
To create and manage certificate profiles: Author Policy,

Modify Report, Read, and Run Report for the Certificate
Profile object.
To manage Wi-Fi, certificate and VPN profile deployments:

Deploy Configuration Policies, Modify Client Status Alert,
Read, and Read Resource for the Collection object.
To manage all configuration policies: Create, Delete, Modify,

Read, and Set Security Scope for the Configuration Policy
object.
To run queries related to certificate profiles: Read permission

for the Query object.
To view certificate profiles information in the System Center

Configuration Manager console: Read permission for the Site
object.
To view status messages for certificate profiles: Read

permission for the Status Messages object.
To create and modify the Trusted CA certificate profile: Author

Policy, Modify Report, Read, and Run Report for the
Trusted CA Certificate Profile object.
To create and manage VPN profiles: Author Policy, Modify

Report, Read, and Run Report for the VPN Profile object.
To create and manage Wi-Fi profiles: Author Policy, Modify

Report, Read, and Run Report for the Wi-Fi Profile object.
The Company Resource Access Manager security role

includes these permissions that are required to manage
certificate profiles in System Center Configuration Manager.
For more information, see the Configure role-based
administration section in the Configure security in System
Center Configuration Manager article.
Planning for certificate template permissions for
certificate profiles in System Center Configuration
Manager

The following information can help you plan for how to configure permissions for the certificate templates that
System Center Configuration Manager uses when you deploy certificate profiles.
Default Security Permissions and Considerations

The default security permissions that are required for the certificate templates that System Center Configuration
Manager will use to request certificates for users and devices are as follows:
Read and Enroll for the account that the Network Device Enrollment Service application pool uses
Read for the account that runs the System Center Configuration Manager console
For more information about these security permissions, see Configuring certificate infrastructure.
When you use this default configuration, users and devices cannot directly request certificates from the
certificate templates and all requests must be initiated by the Network Device Enrollment Service. This is an
important restriction, because these certificate templates must be configured with Supply in the request
for the certificate Subject, which means that there is a risk of impersonation if a rogue user or a
compromised device requests a certificate. In the default configuration, the Network Device Enrollment
Service must initiate such a request. However, this risk of impersonation remains if the service that runs the
Network Device Enrollment Service is compromised. To help avoid this risk, follow all security best
practices for the Network Device Enrollment Service and the computer that runs this role service.
If the default security permissions do not fulfill your business requirements, you have another option for
configuring the security permissions on the certificate templates: You can add Read and Enroll permissions
for users and computers.
Adding Read and Enroll Permissions for Users and Computers

Adding Read and Enroll permissions for users and computers might be appropriate if a separate team manages
your certification authority (CA) infrastructure team, and that separate team wants System Center Configuration
Manager to verify that users have a valid Active Directory Domain Services account before sending them a
certificate profile to request a user certificate. For this configuration, you must specify one or more security groups
that contain the users, and then grant those groups Read and Enroll permissions on the certificate templates. In
this scenario, the CA administrator manages the security control.
You can similarly specify one or more security groups that contain computer accounts and grant these groups
Read and Enroll permissions on the certificate templates. If you deploy a computer certificate profile to a computer
that is a domain member, the computer account of that computer must be granted Read and Enroll permissions.
These permissions are not required if the computer is not a domain memberâ€”for example, if it is a workgroup
computer or personal mobile device.
Although this configuration uses an additional security control, we do not recommend it as a best practice. The
reason is that the specified users or owners of the devices might request certificates independently from System
Center Configuration Manager and supply values for the certificate Subject that might be used to impersonate
another user or device.
In addition, if you specify accounts that cannot be authenticated at the time that the certificate request occurs, the
certificate request will fail by default. For example, the certificate request will fail if the server that is running the
Network Device Enrollment Service is in an Active Directory forest that is untrusted by the forest that contains the
certificate registration point site system server. You can configure the certificate registration point to continue if an
account cannot be authenticated because there is no response from a domain controller. However, this is not a
security best practice.
Note that if the certificate registration point is configured to check for account permissions and a domain
controller is available and rejects the authentication request (for example, the account is locked out or has been
deleted), the certificate enrollment request will fail.
To check for Read and Enroll permissions for users and domain-member computers
1. On the site system server that hosts the certificate registration point, create the following DWORD registry
key to have a value of 0:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SCCM\CRP\SkipTemplateCheck
2. If an account cannot be authenticated because there is no response from a domain controller, and you want
to bypass the permissions check:
On the site system server that hosts the certificate registration point, create the following DWORD
registry key to have a value of 1:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SCCM\CRP\SkipTemplateCheckOnlyIfAccountAccessDenied
3. On the issuing CA, on the Security tab in the properties for the certificate template, add one or more
security groups to grant the user or device accounts Read and Enroll permissions.
Security and privacy for certificate profiles in System
Security Best Practices for Certificate Profiles

Use the following security best practices when you manage certificate profiles for users and devices.
SECURITY BEST PRACTICE MORE INFORMATION
Identify and follow any security best practices for the Network See Network Device Enrollment Service Guidance in the Active
Device Enrollment Service, which includes configuring the Directory Certificate Services library on TechNet.
Network Device Enrollment Service website in Internet
Information Services (IIS) to require SSL and ignore client
certificates.
When you configure SCEP certificate profiles, choose the most Identify, implement, and follow any security best practices that
secure options that devices and your infrastructure can have been recommended for your devices and infrastructure.
support.
Manually specify user device affinity instead of allowing users If you click the Allow certificate enrollment only on the
to identify their primary device. In addition, do not enable users primary device option in a SCEP certificate profile, do
usage-based configuration. not consider the information that is collected from users or
from the device to be authoritative. If you deploy SCEP
certificate profiles with this configuration and a trusted
administrative user does not specify user device affinity,
unauthorized users might receive elevated privileges and be
granted certificates for authentication.
Note: If you do enable usage-based configuration, this

information is collected by using state messages that are not
secured by System Center Configuration Manager. To help
mitigate this threat, use SMB signing or IPsec between client
computers and the management point.
Do not add Read and Enroll permissions for users to the Although Configuration Manager supports the additional
certificate templates, or configure the certificate registration check if you add the security permissions of Read and Enroll
point to skip the certificate template check. for users, and you can configure the certificate registration
point to skip this check if authentication is not possible,
neither configuration is a security best practice. For more
information, see Planning for certificate template permissions
for certificate profiles in System Center Configuration
Manager.
Privacy Information for Certificate Profiles

You can use certificate profiles to deploy root certification authority (CA) and client certificates, and then evaluate
whether those devices become compliant after the profiles are applied. The management point sends compliance
information to the site server, and System Center Configuration Manager stores that information in the site
database. Compliance information includes certificate properties such as subject name and thumbprint. The
information is encrypted when devices send it to the management point, but it is not stored in encrypted format in
the site database. The database retains the information until the site maintenance task Delete Aged
Configuration Management Data deletes it after the default interval of 90 days. You can configure the deletion
interval. Compliance information is not sent to Microsoft.
Certificate profiles use information that Configuration Manager collects using discovery. For more information
about privacy information for discovery, see the Privacy Information for Discovery section in Security and
privacy for System Center Configuration Manager.
NOTE
Certificates that are issued to users or devices might allow access to confidential information.
By default, devices do not evaluate certificate profiles. In addition, you must configure the certificate profiles, and
then deploy them to users or devices.
Before you configure certificate profiles, consider your privacy requirements.
Planning for Endpoint Protection in System Center

Endpoint Protection in System Center Configuration Manager lets you to manage antimalware policies and
Windows Firewall security for client computers in your Configuration Manager hierarchy.
IMPORTANT
You must be licensed to use Endpoint Protection to manage clients in your Configuration Manager hierarchy.
When you use Endpoint Protection with Configuration Manager, you have the following benefits:
Configure antimalware policies, Windows Firewall settings, and manage Windows Defender Advanced
Threat Protection to selected groups of computers
Use Configuration Manager software updates to download the latest antimalware definition files to keep
client computers up-to-date
Send email notifications, use in-console monitoring, and view reports to keep administrative users informed
when malware is detected on client computers
Windows 10 computers don't require any additional client for endpoint protection management. On Windows 8.1
and earlier computers, Endpoint Protection installs its own client in addition to the Configuration Manager client.
The Endpoint Protection client has the following capabilities:
Malware and spyware detection and remediation
Rootkit detection and remediation
Critical vulnerability assessment and automatic definition and engine updates
Network vulnerability detection through Network Inspection System
Integration with Cloud Protection Service to report malware to Microsoft. When you join this service,
Windows Defender or the Endpoint Protection client can download the latest definitions from the Malware
Protection Center when unidentified malware is detected on a computer.
NOTE
The Endpoint Protection client can be installed on a server that runs Hyper-V and on guest virtual machines with supported
operating systems. To prevent excessive CPU usage, Endpoint Protection actions have a built-in, randomized delay so that
services do not run simultaneously.
In addition, Endpoint Protection in Configuration Manager lets you to manage Windows Firewall settings in the
Configuration Manager console.
Example scenario: Using System Center Endpoint Protection to protect computers from malware in System Center
Configuration Manager shows how you might configure and manage Endpoint Protection and the Windows
Firewall.
Managing Malware with Endpoint Protection
Endpoint Protection in Configuration Manager allows you to create antimalware policies that contain settings for
Endpoint Protection client configurations. You can then deploy these antimalware policies to client computers and
monitor them in the Endpoint Protection Status node in the Monitoring workspace, or by using Configuration
Manager reports.
Additional information:
Create and deploy antimalware policies for Endpoint Protection in System Center Configuration Manager -
Create, deploy, and monitor antimalware policies with a list of the settings that you can configure
Monitor Endpoint Protection in System Center Configuration Manager - Monitoring activity reports,
infected client computers, and more.
Manage antimalware policies and firewall settings for Endpoint Protection in System Center Configuration
Manager - You can change policy priority for antimalware or firewall, remediate malware found on client
computers, and other tasks
Managing Windows Firewall with Endpoint Protection

Endpoint Protection in Configuration Manager provides basic management of the Windows Firewall on client
computers. For each network profile, you can configure the following settings:
Enable or disable the Windows Firewall.
Block incoming connections, including those in the list of allowed programs.
Notify the user when Windows Firewall blocks a new program.
NOTE
Endpoint Protection supports managing the Windows Firewall only.
For more information about how to create and deploy Windows Firewall policies for Endpoint Protection, see How
to create and deploy Windows Firewall policies for Endpoint Protection in System Center Configuration Manager.

Starting with version 1606 of Configuration Manager (current branch), Endpoint Protection can help manage and
monitor Windows Defender Advanced Threat Protection (ATP ). Windows Defender ATP is a new service that will
help enterprises to detect, investigate, and respond to advanced attacks on their networks. See Windows Defender
Advanced Threat Protection.
Endpoint Protection Workflow

Use the following diagram to help you understand the workflow to implement Endpoint Protection in your
Configuration Manager hierarchy.
Endpoint Protection Client for Mac Computers and Linux Servers
System Center includes an Endpoint Protection client for Linux and for Mac computers. These clients are not
supplied with Configuration Manager; instead, you must download the following products from the Microsoft
Volume Licensing Service Center.
IMPORTANT
You must be a Microsoft Volume License customer to download the Endpoint Protection installation files for Linux and the
Mac.
These products cannot be managed from the Configuration Manager console. However, a System Center
Operations Manager management pack is supplied with the installation files, which allows you to manage the
client for Linux by using Operations Manager.
For more information about how to install and manage the Endpoint Protection clients for Linux and Mac
computers, use the documentation that accompanies these products, which is located in the Documentation
folder.
Best Practices for Endpoint Protection in Configuration Manager
Use the following best practices for Endpoint Protection in System Center 2012 Configuration Manager.
Configure custom client settings for Endpoint Protection
When you configure client settings for Endpoint Protection, do not use the default client settings because they
apply settings to all computers in your hierarchy. Instead, configure custom client settings and assign these settings
to collections of computers in your hierarchy.
When you configure custom client settings, you can do the following:
Customize antimalware and security settings for different parts of your organization.
Test the effects of running Endpoint Protection on a small group of computers before you deploy it to the entire
hierarchy.
Add more clients to the collection over time to phase your deployment of the Endpoint Protection client.
Distributing definition updates by using software updates
If you are using Configuration Manager software updates to distribute definition updates, consider placing
definition updates in a package that does not contain other software updates. This keeps the size of the definition
update package smaller which allows it to replicate to distribution points more quickly.

Email profiles in System Center Configuration Manager have dependencies both externally, and within the product.
Configuration Manager dependencies

Specific security permissions must be granted to manage email You must have the following security permissions to manage
profiles company resource access settings, such as email profiles:
- To view and manage alerts and reports for email profiles:

Report permissions for the Alerts object.
- To create and manage certificate profiles: Author Policy,

Modify Report, Read and Run Report permissions for the
Certificate Profile object.
- To manage email profile deployments: Deploy

Configuration Policies, Modify Client Status Alert, Read,
and Read Resource permissions for the Collection object.
- To manage all configuration policies: Create, Delete,

Modify, Read and Set Security Scope permissions for the
Configuration Policy object.
- To run queries that are related to email profiles: Read

permission for the Query object.
- To view email profiles information in the System Center

object.
- To view status messages for email profiles: Read permission

for the Status Messages object.
- To create and manage email profiles: Author Policy, Modify

Report, Read, and Run Report permissions for the
Communications Provisioning Profile object.

includes these permissions that are required to manage email
profiles in System Center Configuration Manager. For more
information, see Configure security in System Center
Mail attribute in active directory If you want to generate the users email address in an email
profile by using the user's primary SMTP address, System
Center Configuration Manager user discovery must be
configured to discover the mail attribute from Active
Directory (this is configured by default).
External dependencies
profile by using the user's primary SMTP address, this address
must exist in the mail attribute in Active Directory.
For more information, see your Windows Server

documentation.

Email profiles in System Center Configuration Manager have dependencies both externally, and within the
product.
Configuration Manager dependencies

Specific security permissions must be granted to manage You must have the following security permissions to manage
email profiles company resource access settings, such as email profiles:
- To view and manage alerts and reports for email profiles:

Report permissions for the Alerts object.
- To create and manage certificate profiles: Author Policy,

Modify Report, Read and Run Report permissions for the
- To manage email profile deployments: Deploy

Configuration Policies, Modify Client Status Alert, Read,
and Read Resource permissions for the Collection object.
- To manage all configuration policies: Create, Delete,

Modify, Read and Set Security Scope permissions for the
- To run queries that are related to email profiles: Read

permission for the Query object.
- To view email profiles information in the System Center

object.
- To view status messages for email profiles: Read permission

for the Status Messages object.
- To create and manage email profiles: Author Policy, Modify

Report, Read, and Run Report permissions for the
Communications Provisioning Profile object.

includes these permissions that are required to manage email
profiles in System Center Configuration Manager. For more
information, see Configure security in System Center
profile by using the user's primary SMTP address, System
Center Configuration Manager user discovery must be
configured to discover the mail attribute from Active
Directory (this is configured by default).
External dependencies
profile by using the user's primary SMTP address, this address
must exist in the mail attribute in Active Directory.
For more information, see your Windows Server

documentation.
Prerequisites for Wi-Fi and VPN Profiles in System

Wi-Fi and VPN profiles in System Center Configuration Manager have dependencies only within the product.
You must have the following security permissions to manage company resource access settings, such as certificate
profiles, Wi-Fi profiles, and VPN profiles:
To view and manage alerts and reports for Wi-Fi and profiles: Create, Delete, Modify, Modify Report,
Read, and Run Report for the Alerts object.
To create and manage certificate profiles: Author Policy, Modify Report, Read, and Run Report for the
To manage Wi-Fi, certificate, and VPN profile deployments: Deploy Configuration Policies, Modify
Client Status Alert, Read, and Read Resource for the Collection object.
To manage all configuration policies: Create, Delete, Modify, Read, and Set Security Scope for the
To run queries that are related to Wi-Fi and VPN profiles: Read permission for the Query object.
To view Wi-Fi and VPN profiles information in the System Center Configuration Manager console: Read
permission for the Site object.
To view status messages for Wi-Fi and VPN profiles: Read permission for the Status Messages object.
To create and modify the Trusted CA certificate profile: Author Policy, Modify Report, Read, and Run
Report for the Trusted CA Certificate Profile object.
To create and manage VPN profiles: Author Policy, Modify Report, Read, and Run Report for the VPN
Profile object.
To create and manage Wi-Fi profiles: Author Policy, Modify Report, Read, and Run Report for the Wi-Fi
Profile object.
The Company Resource Access Manager security role includes these permissions that are required to
manage Wi-Fi profiles in System Center Configuration Manager. For more information, see Configure
security in System Center Configuration Manager.
Security and privacy for Wi-Fi and VPN profiles in
System Center Configuration Manager
Security Best Practices for Wi-Fi and VPN Profiles

Use the following security best practices when you manage Wi-Fi and VPN profiles for devices.
Whenever possible, choose the most secure options that your Wi-Fi and VPN profiles provide a convenient method to
Wi-Fi and VPN infrastructure and client operating systems can centrally distribute and manage Wi-Fi and VPN settings that
support. your devices already support. Configuration Manager does
not add Wi-Fi or VPN functionality.
Identify, implement, and follow any security best practices that

have been recommended for your devices and infrastructure.
Privacy Information for Wi-Fi Profiles

You can use Wi-Fi and VPN profiles to configure client devices to connect to Wi-Fi and VPN servers, and then
evaluate whether those devices become compliant after the profiles are applied. The management point sends
compliance information to the site server, and the information is stored in the site database. The information is
encrypted when devices send it to the management point, but it is not stored in encrypted format in the site
database. The database retains the information until the site maintenance task Delete Aged Configuration
Management Data deletes it. The default deletion interval is 90 days, but you can change it. Compliance
information is not sent to Microsoft.
By default, devices do not evaluate Wi-Fi and VPN profiles. In addition, you must configure the profiles, and then
deploy them to users.
Before you configure Wi-Fi or VPN profiles, consider your privacy requirements.
Security and privacy for email profiles in System
Security Best Practices for Email Profiles

Use the following security best practices when you manage email profiles for devices.
Whenever possible, choose the most secure options that your Email profiles provide a convenient method to centrally
email infrastructure and client operating systems can support. distribute and manage email settings that your devices already
support. Configuration Manager does not add email
functionality.
Identify, implement, and follow any security best practices that

have been recommended for your devices and email
infrastructure.
Privacy Information for Email Profiles

By default, devices do not evaluate email profiles. In addition, you must configure the email profiles, and then
deploy them to users.
Before you configure email profiles, consider your privacy requirements.
Security and privacy for certificate profiles in System
Security Best Practices for Certificate Profiles

Use the following security best practices when you manage certificate profiles for users and devices.
Identify and follow any security best practices for the Network See Network Device Enrollment Service Guidance in the Active
Device Enrollment Service, which includes configuring the Directory Certificate Services library on TechNet.
Network Device Enrollment Service website in Internet
Information Services (IIS) to require SSL and ignore client
certificates.
When you configure SCEP certificate profiles, choose the most Identify, implement, and follow any security best practices that
secure options that devices and your infrastructure can have been recommended for your devices and infrastructure.
support.
Manually specify user device affinity instead of allowing users If you click the Allow certificate enrollment only on the
to identify their primary device. In addition, do not enable users primary device option in a SCEP certificate profile, do
usage-based configuration. not consider the information that is collected from users or
from the device to be authoritative. If you deploy SCEP
certificate profiles with this configuration and a trusted
administrative user does not specify user device affinity,
unauthorized users might receive elevated privileges and be
granted certificates for authentication.
Note: If you do enable usage-based configuration, this

information is collected by using state messages that are not
secured by System Center Configuration Manager. To help
mitigate this threat, use SMB signing or IPsec between client
computers and the management point.
Do not add Read and Enroll permissions for users to the Although Configuration Manager supports the additional
certificate templates, or configure the certificate registration check if you add the security permissions of Read and Enroll
point to skip the certificate template check. for users, and you can configure the certificate registration
point to skip this check if authentication is not possible,
neither configuration is a security best practice. For more
information, see Planning for certificate template permissions
for certificate profiles in System Center Configuration
Manager.
Privacy Information for Certificate Profiles

You can use certificate profiles to deploy root certification authority (CA) and client certificates, and then evaluate
whether those devices become compliant after the profiles are applied. The management point sends compliance
information to the site server, and System Center Configuration Manager stores that information in the site
database. Compliance information includes certificate properties such as subject name and thumbprint. The
information is encrypted when devices send it to the management point, but it is not stored in encrypted format in
the site database. The database retains the information until the site maintenance task Delete Aged
Configuration Management Data deletes it after the default interval of 90 days. You can configure the deletion
interval. Compliance information is not sent to Microsoft.
Certificate profiles use information that Configuration Manager collects using discovery. For more information
about privacy information for discovery, see the Privacy Information for Discovery section in Security and
privacy for System Center Configuration Manager.
NOTE
Certificates that are issued to users or devices might allow access to confidential information.
By default, devices do not evaluate certificate profiles. In addition, you must configure the certificate profiles, and
then deploy them to users or devices.
Before you configure certificate profiles, consider your privacy requirements.
VPN profiles in System Center Configuration
Manager

To deploy VPN settings to users in your organization, use VPN profiles in Configuration Manager. By deploying
these settings, you minimize the end-user effort required to connect to resources on the company network.
For example, you want to configure all Windows 10 devices with the settings required to connect to a file share on
the corporate network. You can create a VPN profile with the settings necessary to connect to the corporate
network. Then deploy this profile to all users that have devices running Windows 10. These users see the VPN
connection in the list of available networks and can connect with little effort.
When you create a VPN profile, you can include a wide range of security settings. These settings include
certificates for server validation and client authentication that you provision with Configuration Manager
certificate profiles. For more information, see Certificate profiles.
NOTE
Configuration Manager doesn't enable this optional feature by default. You must enable this feature before using it. For more
information, see Enable optional features from updates.
See VPN profiles on mobile devices to review the devices you can configure when using Configuration Manager
with Microsoft Intune.
VPN profiles when using Configuration Manager

The following table describes the VPN profiles you can configure for various device platforms.
CONNECTION TYPE WINDOWS 8.1 WINDOWS RT WINDOWS RT 8.1 WINDOWS 10
Cisco AnyConnect No No No No
Pulse Secure Yes No Yes Yes
F5 Edge Client Yes No Yes Yes
Dell SonicWALL Yes No Yes Yes

Mobile Connect
Check Point Mobile Yes No Yes Yes

VPN
Microsoft SSL Yes Yes Yes No

(SSTP)
Microsoft Yes Yes Yes No

Automatic
CONNECTION TYPE WINDOWS 8.1 WINDOWS RT WINDOWS RT 8.1 WINDOWS 10
IKEv2 Yes Yes Yes No
PPTP Yes Yes Yes No
L2TP Yes Yes Yes No
Next steps
Use the following topics to help you plan for, configure, operate, and maintain VPN profiles in Configuration
Manager.
Prerequisites for VPN profiles in System Center Configuration Manager
Security and privacy for VPN profiles in System Center Configuration Manager
How to Create VPN profiles in System Center

The connection types available for the different device platforms are described in VPN profiles in System Center
For third-party VPN connections, distribute the VPN app before deploying the VPN profile. If you don't deploy the
app, users will be prompted to do so when they try to connect to the VPN. To learn how to deploy apps, see Deploy
applications with System Center Configuration Manager.
Create a VPN profile
1. In the Configuration Manager console, choose Assets and Compliance > Compliance Settings >
Company Resource Access > VPN Profiles.
2. On the Home tab, in the Create group, choose Create VPN Profile.
3. Complete the General page. Note the following:
Select the appropriate Platform.
If you select the Windows 8.1 platform, you have the option to select Import an existing VPN
profile item from a file to import VPN profile information that was exported to an XML file.
Do not use the characters \/:*?<>|, or the space character in the VPN profile name. These characters
are not supported by the Windows Server VPN profile.
4. On the Connection page, specify:
Connection type: Choose the VPN connection type. You can choose from the connection types in
the following table.
Server list: Add a new server to use for the VPN connection. Depending on the connection type, you
can add one or more VPN servers and specify the default server.
NOTE
Devices that run iOS do not support using multiple VPN servers. If you configure multiple VPN servers and
then deploy the VPN profile to an iOS device, only the default server is used.
This table provides options for connection types. See your VPN server documentation for more
information.
OPTION MORE INFORMATION CONNECTION TYPE
Realm The authentication realm that you want Pulse Secure

to use. An authentication realm is a
grouping of authentication resources
that is used by the Pulse Secure
connection type.
Role The user role that has access to this Pulse Secure
connection.
Login group or domain The name of the login group or domain Dell SonicWALL Mobile Connect
that you want to connect to.
Fingerprint A string, for example "Contoso Check Point Mobile VPN

Fingerprint Code" that will be used to
verify that the VPN server can be
trusted.
A fingerprint can be:
- Sent to the client so it knows to trust

any server presenting that same
fingerprint when connecting.
- If the device doesn't already have the

fingerprint it will prompt the user to
trust the VPN server they are
connecting to while showing the
fingerprint (the user manually verifies
the fingerprint and chooses trust to
connect).
Send all network traffic through the If this option is not selected, you can All
VPN connection specify additional routes for the
connection (for Microsoft SSL (SSTP),
Microsoft Automatic, IKEv2, PPTP
and L2TP connection types), which is
known as split or VPN tunneling.
Only connections to the company

network are sent over a VPN tunnel.
VPN tunneling is not used when you
connect to resources on the Internet.
Connection specific DNS suffix The connection-specific Domain Name - Microsoft SSL (SSTP)
System (DNS) suffix for the connection.
- Microsoft Automatic
- IKEv2
- PPTP
- L2TP
Bypass VPN when connected to The VPN connection will not be used - Cisco AnyConnect
company Wi-Fi network when the device is connected to the
company Wi-Fi network. - Pulse Secure
- F5 Edge Client
- Dell SonicWALL Mobile Connect
- Check Point Mobile VPN
- Microsoft SSL (SSTP)
- Microsoft Automatic
- IKEv2
- L2TP
Bypass VPN when connected to The VPN connection will not be used All
home Wi-Fi network when the device is connected to a home
Wi-Fi network.
Per App VPN (iOS 7 and later, Mac Associate this VPN connection with an - Cisco AnyConnect
OS X 10.9 and later ) iOS app so that the connection will be
opened when the app is run. You can - Pulse Secure
associate the VPN profile with an app
when you deploy it. - F5 Edge Client

Custom XML (optional) Specify custom XML commands that - Cisco AnyConnect
configure the VPN connection.
- Pulse Secure
Examples:
- F5 Edge Client
For Pulse Secure:
<pulse-schema>
<isSingleSignOnCredential>true</is
SingleSignOnCredential>
</pulse-schema>
For CheckPoint Mobile VPN:
<CheckPointVPN
port="443"
name="CheckPointSelfhost"
sso="true"
debug="3"
/>
For Dell SonicWALL Mobile Connect:
<MobileConnect>
<Compression>false</Compression
>
<debugLogging>True</debugLoggi
ng>
<packetCapture>False</packetCapt
ure>
</MobileConnect>
For F5 Edge Client:
<f5-vpn-conf><single-sign-on-
credential></f5-vpn-conf>
Refer to each manufacturers VPN

documentation for more information
about how to write custom XML
commands.
NOTE
For information specific to creating VPN profiles for mobile devices, see Create VPN Profiles
Complete the wizard. The new VPN profile is displayed in the VPN Profiles node in the Assets and Compliance
workspace.
Next steps
For third-party VPN connections, distribute the VPN app before deploying the VPN profile. If you don't
deploy the app, users will be prompted to do so when they try to connect to the VPN. To learn how to
deploy apps, see Deploy applications with System Center Configuration Manager.
Deploy the VPN profile as described in How to deploy profiles in System Center Configuration Manager.
Find a package family name (PFN) for per-app VPN

There are two ways to find a PFN so that you can configure a per-app VPN.
Find a PFN for an app that's installed on a Windows 10 computer

If the app you are working with is already installed on a Windows 10 computer, you can use the Get-AppxPackage
PowerShell cmdlet to get the PFN.
The syntax for Get-AppxPackage is:
Parameter Set: __AllParameterSets
Get-AppxPackage [[-Name] <String> ] [[-Publisher] <String> ] [-AllUsers] [-User <String> ] [ <CommonParameters>]
NOTE
You may have to run PowerShell as an admin in order to retrieve the PFN
For example, to get info on all the universal apps installed on the computer use Get-AppxPackage .
To get info on an app you know the name of, or part of the name of, use Get-AppxPackage *<app_name> . Note the use
of the wildcard character, particularly helpful if you're not sure of the full name of the app. For example to get the
info for OneNote, use Get-AppxPackage *OneNote .
Here is the information retrieved for OneNote:
Name : Microsoft.Office.OneNote
Publisher : CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Architecture : X64
ResourceId :
Version : 17.6769.57631.0
PackageFullName : Microsoft.Office.OneNote_17.6769.57631.0_x64__8wekyb3d8bbwe
InstallLocation : C:\Program Files\WindowsApps
\Microsoft.Office.OneNote_17.6769.57631.0_x64__8wekyb3d8bbwe
IsFramework : False
PackageFamilyName : Microsoft.Office.OneNote_8wekyb3d8bbwe
PublisherId : 8wekyb3d8bbwe
Find a PFN if the app is not installed on a computer

1. Go to https://www.microsoft.com/en-us/store/apps
2. Enter the name of the app in the search bar. In our example, search for OneNote.
3. Click the link to the app. Note that the URL that you access has a series of letters at the end. In our example, the
URL looks like this: https://www.microsoft.com/en-us/store/apps/onenote/9wzdncrfhvjl
4. In a different tab, paste the following URL,
https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/<app id>/applockerdata , replacing <app id>
with the app id you obtained from https://www.microsoft.com/en-us/store/apps - that series of letters at the end
of the URL in step 3. In our example, example of OneNote, you'd paste:
https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/9wzdncrfhvjl/applockerdata .
In Edge, the information you want is displayed; in Internet Explorer, click Open to see the information. The PFN
value is given on the first line. Here's how the results look for our example:
{ "packageFamilyName": "Microsoft.Office.OneNote_8wekyb3d8bbwe",
"packageIdentityName": "Microsoft.Office.OneNote",
"windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d",
"publisherCertificateName": "CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"
}

Use Wi-Fi profiles in System Center Configuration Manager to deploy wireless network settings to users in your
organization. By deploying these settings, you make it easier for your users to connect to Wi-Fi.
For example, you have a Wi-Fi network that you want to enable all iOS devices to connect to. Create a Wi-Fi profile
containing the settings necessary to connect to the wireless network. Then, deploy the profile to all users that have
iOS devices in your hierarchy. Users of iOS devices see the company network in the list of wireless networks and
can readily connect to this network.
You can configure the following device types with Wi-Fi profiles:
Devices that run Windows 8.1 32-bit
Devices that run Windows RT 8.1
Devices that run Windows 10 Desktop or Mobile
Create Wi-Fi profiles for mobile devices provides information about how to use Wi-Fi profiles in Configuration
Manager to deploy wireless network settings to mobile device users."
IMPORTANT
To deploy profiles to Android, iOS, Windows Phone, and enrolled Windows 8.1 or later devices, these devices must be enrolled
in Microsoft Intune. For information about how to get your devices enrolled, see Enroll devices for management in Intune.
When you create a Wi-Fi profile, you can include a wide range of security settings. These include certificates for
server validation and client authentication that have been pushed using Configuration Manager certificate profiles.
For more information about certificate profiles, see Certificate profiles in System Center Configuration Manager.
Create a Wi-Fi Profile

Company Resource Access > Wi-Fi Profiles.
2. On the Home tab, in the Create group, choose Create Wi-Fi Profile.
3. On the General page, enter a unique name and a description for the Wi-Fi profile. If you want to use the
settings from another Wi-Fi profile, select Import an existing Wi-Fi profile item from a file.
IMPORTANT
Ensure that the Wi-Fi profile you import contains valid XML for a Wi-Fi profile. Configuration Manager does not
validate the profile when you import the file.
4. In Noncompliance severity for reports, specify the severity level that is reported if the Wi-Fi profile is
found to be noncompliant on client devices (for example, if the installation of the profile fails). The available
severity levels are as follows:
None: Computers that fail this compliance rule do not report a failure severity for Configuration
Manager reports.
Information: Computers that fail this compliance rule report a failure severity of Information for
Configuration Manager reports.
Warning: Computers that fail this compliance rule report a failure severity of Warning for
Critical: Computers that fail this compliance rule report a failure severity of Critical for
Critical with event: Computers that fail this compliance rule report a failure severity of Critical for
Configuration Manager reports. This severity level is also logged as a Windows event in the
application event log.
5. On the Wi-Fi Profile page provide the name that devices will display as the network name.
IMPORTANT
Configuration Manager does not support using the apostrophe (â€˜) or comma (,) characters in the network name.
6. Specify the case-sensitive SSID

7. Choose the other appropriate connectivity options, including. Connect when the network is not
broadcasting its name (SSID ), if there is a possibility that the SSID is hidden
8. On the Security Configuration page, select the security protocol that the wireless network uses, or select
No authentication (Open) if the network is unsecured.
IMPORTANT
If you're creating a Wi-Fi profile for On-premises Mobile Device Management, the current branch of Configuration
Manager only supports the following Wi-Fi security configurations:
Security types: WPA2 Enterprise or WPA2 Personal
Encryption types: AES or TKIP
EAP types: Smart Card or other certificate or PEAP
For Android devices, the security types WPA Personal, WPA2 Personal and WEP are not supported.
9. Select the encryption method that the wireless network uses.

10. Select the EAP type that is used to authenticate with the wireless network.
For Windows Phone devices only: the EAP types LEAP and EAP -FAST are not supported.
11. Click Configure to specify properties for the selected EAP type. This option might not be available for some
selected EAP types.
IMPORTANT
When you click Configure, the dialog box that opens is a Windows dialog box. Because of this, you must ensure that
the operating system of the computer that runs the Configuration Manager console supports configuring the
selected EAP type.
For iOS devices, if you chose a non-EAP method for authentication, regardless of the method you choose, MS-CHAP
v2 will be used for the connection.
12. If you want to store user credentials so users do not have to enter credentials at each logon, select
Remember the user credentials at each logon.
13. For iOS devices only:
Configure information for any certificates that are required for the Wi-Fi connection. You must configure the
client certificate and either the trusted server certificate name or the root certificate, as follows:
Trusted server certificate names: If the server that the device connects to uses a server
authentication certificate to identify the server and help secure the communication channel, enter the
name or names in that certificateâ€™s subject name or subject alternative name. The name or names
are typically the fully qualified domain name of the server. For example, if the server certificate has a
common name of srv1.contoso.com in the certificate subject, enter srv1.contoso.com. If the server
certificate has multiple names that are specified in the subject alternative name, enter each name,
separated by a semicolon.
TIP
If the client certificate that you select for EAP or client authentication for an iOS device will be used to
authenticate to a Remote Authentication Dial-In User Service (RADIUS) server, such as a server that is running
Network Policy Server, you must set the Subject Alternative Name to the User Principal Name.
Select root certificates for server validation: If the server that the device connects to uses a server
authentication certificate that the device does not trust, select the certificate profile that contains the
root certificate for the server certificate, to create a certificate chain of trust on the device.
Select a client certificate for client authentication: If the server or network device requires a
client certificate to authenticate the connecting device, select the certificate profile that contains the
client authentication certificate.
NOTE
Before you can select the root certificate and client certificate, you must first configure and deploy them as a
certificate profile. For more information about certificate profiles, see Certificate profiles in System Center
14. On the Advanced Settings page, specify advanced settings for the Wi-Fi profile such as the authentication
mode, single sign-on options, and Federal Information Processing Standards compliance. For more
information about these options, see your Windows documentation. Advanced settings might not be
available, or might vary, depending on the options that you selected on the Security Configuration page of
the wizard.
15. On the Proxy Settings page, select Configure proxy settings for this Wi-Fi profile if your wireless
network uses a proxy server, and then provide the configuration information.
16. On the Supported Platforms page, select the operating systems where you want to install the Wi-Fi profile.
Alternatively, click Select all to install the Wi-Fi profile to all available operating systems.
Next steps
For information about how to deploy the Wi-Fi profile, see How to deploy Wi-Fi profiles in System Center

Use Wi-Fi profiles in System Center Configuration Manager to deploy wireless network settings to users in your
organization. By deploying these settings, you make it easier for your users to connect to Wi-Fi.
For example, you have a Wi-Fi network that you want to enable all iOS devices to connect to. Create a Wi-Fi
profile containing the settings necessary to connect to the wireless network. Then, deploy the profile to all users
that have iOS devices in your hierarchy. Users of iOS devices see the company network in the list of wireless
networks and can readily connect to this network.
You can configure the following device types with Wi-Fi profiles:
Devices that run Windows RT 8.1
Devices that run Windows 10 Desktop or Mobile
Create Wi-Fi profiles for mobile devices provides information about how to use Wi-Fi profiles in Configuration
Manager to deploy wireless network settings to mobile device users."
IMPORTANT
To deploy profiles to Android, iOS, Windows Phone, and enrolled Windows 8.1 or later devices, these devices must be
enrolled in Microsoft Intune. For information about how to get your devices enrolled, see Enroll devices for management in
Intune.
When you create a Wi-Fi profile, you can include a wide range of security settings. These include certificates for
server validation and client authentication that have been pushed using Configuration Manager certificate profiles.
For more information about certificate profiles, see Certificate profiles in System Center Configuration Manager.
Create a Wi-Fi Profile

Company Resource Access > Wi-Fi Profiles.
2. On the Home tab, in the Create group, choose Create Wi-Fi Profile.
3. On the General page, enter a unique name and a description for the Wi-Fi profile. If you want to use the
settings from another Wi-Fi profile, select Import an existing Wi-Fi profile item from a file.
IMPORTANT
Ensure that the Wi-Fi profile you import contains valid XML for a Wi-Fi profile. Configuration Manager does not
validate the profile when you import the file.
4. In Noncompliance severity for reports, specify the severity level that is reported if the Wi-Fi profile is
found to be noncompliant on client devices (for example, if the installation of the profile fails). The available
severity levels are as follows:
None: Computers that fail this compliance rule do not report a failure severity for Configuration
Manager reports.
Information: Computers that fail this compliance rule report a failure severity of Information for
Warning: Computers that fail this compliance rule report a failure severity of Warning for
Critical: Computers that fail this compliance rule report a failure severity of Critical for
Critical with event: Computers that fail this compliance rule report a failure severity of Critical for
Configuration Manager reports. This severity level is also logged as a Windows event in the
application event log.
5. On the Wi-Fi Profile page provide the name that devices will display as the network name.
IMPORTANT
Configuration Manager does not support using the apostrophe (â€˜) or comma (,) characters in the network name.
6. Specify the case-sensitive SSID

7. Choose the other appropriate connectivity options, including. Connect when the network is not
broadcasting its name (SSID ), if there is a possibility that the SSID is hidden
8. On the Security Configuration page, select the security protocol that the wireless network uses, or select
No authentication (Open) if the network is unsecured.
IMPORTANT
If you're creating a Wi-Fi profile for On-premises Mobile Device Management, the current branch of Configuration
Manager only supports the following Wi-Fi security configurations:
Security types: WPA2 Enterprise or WPA2 Personal
Encryption types: AES or TKIP
EAP types: Smart Card or other certificate or PEAP
For Android devices, the security types WPA Personal, WPA2 Personal and WEP are not supported.
9. Select the encryption method that the wireless network uses.

10. Select the EAP type that is used to authenticate with the wireless network.
For Windows Phone devices only: the EAP types LEAP and EAP -FAST are not supported.
11. Click Configure to specify properties for the selected EAP type. This option might not be available for some
selected EAP types.
IMPORTANT
When you click Configure, the dialog box that opens is a Windows dialog box. Because of this, you must ensure that
the operating system of the computer that runs the Configuration Manager console supports configuring the
selected EAP type.
For iOS devices, if you chose a non-EAP method for authentication, regardless of the method you choose, MS-CHAP
v2 will be used for the connection.
12. If you want to store user credentials so users do not have to enter credentials at each logon, select
Remember the user credentials at each logon.
13. For iOS devices only:
Configure information for any certificates that are required for the Wi-Fi connection. You must configure
the client certificate and either the trusted server certificate name or the root certificate, as follows:
Trusted server certificate names: If the server that the device connects to uses a server
authentication certificate to identify the server and help secure the communication channel, enter the
name or names in that certificateâ€™s subject name or subject alternative name. The name or names
are typically the fully qualified domain name of the server. For example, if the server certificate has a
common name of srv1.contoso.com in the certificate subject, enter srv1.contoso.com. If the server
certificate has multiple names that are specified in the subject alternative name, enter each name,
separated by a semicolon.
TIP
If the client certificate that you select for EAP or client authentication for an iOS device will be used to
authenticate to a Remote Authentication Dial-In User Service (RADIUS) server, such as a server that is
running Network Policy Server, you must set the Subject Alternative Name to the User Principal Name.
Select root certificates for server validation: If the server that the device connects to uses a
server authentication certificate that the device does not trust, select the certificate profile that
contains the root certificate for the server certificate, to create a certificate chain of trust on the
device.
Select a client certificate for client authentication: If the server or network device requires a
client certificate to authenticate the connecting device, select the certificate profile that contains the
client authentication certificate.
NOTE
Before you can select the root certificate and client certificate, you must first configure and deploy them as a
certificate profile. For more information about certificate profiles, see Certificate profiles in System Center
14. On the Advanced Settings page, specify advanced settings for the Wi-Fi profile such as the authentication
mode, single sign-on options, and Federal Information Processing Standards compliance. For more
information about these options, see your Windows documentation. Advanced settings might not be
available, or might vary, depending on the options that you selected on the Security Configuration page
of the wizard.
15. On the Proxy Settings page, select Configure proxy settings for this Wi-Fi profile if your wireless
network uses a proxy server, and then provide the configuration information.
16. On the Supported Platforms page, select the operating systems where you want to install the Wi-Fi
profile. Alternatively, click Select all to install the Wi-Fi profile to all available operating systems.
Next steps
For information about how to deploy the Wi-Fi profile, see How to deploy Wi-Fi profiles in System Center
Introduction to certificate profiles in System Center

Certificate profiles work with Active Directory Certificate Services and the Network Device Enrollment Service
(NDES ) role. Create and deploy authentication certificates for managed devices so that users can easily access
company resources. For example, you can create and deploy certificate profiles to provide the necessary
certificates for users to connect to VPN and wireless connections.
Certificate profiles can automatically configure user devices. Users access company resources such as Wi-Fi
networks and VPN servers without manually installing certificates or using an out-of-band process. Certificate
profiles help to keep company resources secure because you can use more secure settings that are supported by
your enterprise public key infrastructure (PKI). For example, require server authentication for all Wi-Fi and VPN
connections because you've deployed the required certificates on the managed devices.
Certificate profiles provide the following management capabilities:
Certificate enrollment and renewal from an enterprise certification authority (CA) for devices that run iOS,
Windows 8.1, Windows RT 8.1, Windows 10 Desktop and Mobile, and Android. These certificates can then
be used for Wi-Fi and VPN connections.
Deployment of trusted root CA certificates and intermediate CA certificates. These certificates configure a
chain of trust on devices for VPN and Wi-Fi connections when server authentication is required.
Monitor and report about the installed certificates.
Example: All employees must be able to connect to Wi-Fi hotspots in multiple corporate locations. To enable
easy user connection, first deploy the certificates needed to connect to Wi-Fi. Then deploy Wi-Fi profiles that
reference the certificate.
Example: You have a PKI in place. You want to move to a more flexible, secure method of deploying certificates.
Users should be able to access company resources from their personal devices without compromising security.
Configure certificate profiles with settings and protocols that are supported for the specific device platform. The
devices can then automatically request these certificates from an Internet-facing enrollment server. Then,
configure VPN profiles to use these certificates so that the device can access company resources.
Types of certificate profiles

There are three types of certificate profiles:
Trusted CA certificate - Deploy a trusted root CA or intermediate CA certificate. These certificates form
a chain of trust when the device must authenticate a server.
Simple Certificate Enrollment Protocol (SCEP ) - Request a certificate for a device or user by using the
SCEP protocol. This type requires the Network Device Enrollment Service (NDES ) role on a server
running Windows Server 2012 R2 or later.
To create a Simple Certificate Enrollment Protocol (SCEP ) certificate profile, first create a Trusted CA
certificate profile.
Personal information exchange (.pfx) - Request a .pfx (also known as PKCS #12) certificate for a
device or user.
You may create PFX certificate profiles by either importing credentials from existing certificates or by
defining a certificate authority to process requests.
NOTE
Configuration Manager doesn't enable this optional feature by default. You must enable this feature before using it.
For more information, see Enable optional features from updates.
Starting with version 1706, you can use Microsoft or Entrust as certificate authorities for Personal
information exchange (.pfx) certificates.
Requirements and supported platforms

To deploy certificate profiles that use SCEP, install the certificate registration point on a site system server. Also
install a policy module for NDES, the Configuration Manager Policy Module, on a server that runs Windows
Server 2012 R2 or later. This server requires the Active Directory Certificate Services role and a working NDES
that is accessible to the devices that require the certificates. For the devices that are enrolled by Microsoft Intune,
the NDES must be accessible from the Internet. For example, in a screened subnet, also known as a DMZ.
PFX certificates also require a certificate registration point. Also specify the certificate authority (CA) for the
certificate and the relevant access credentials. Starting with version 1706, you may specify either Microsoft or
Entrust as certificate authorities.
For more information about how the Network Device Enrollment Service supports a policy module so that
Configuration Manager can deploy certificates, see Using a Policy Module with the Network Device Enrollment
Service.
Depending on the requirements, Configuration Manager supports deploying certificates to different certificate
stores on various device types and operating systems. The following devices and operating systems are
supported:
Windows RT 8.1
Windows 8.1
Windows Phone 8.1
Windows 10 Desktop and Mobile
iOS
Android
IMPORTANT
To deploy profiles to Android, iOS, Windows Phone, and enrolled Windows 8.1 or later devices, these devices must be
enrolled in Microsoft Intune.
A typical scenario for Configuration Manager is to install trusted root CA certificates to authenticate Wi-Fi and
VPN servers when the connection uses EAP -TLS, EAP -TTLS, and PEAP authentication protocols, and IKEv2,
L2TP/IPsec, and Cisco IPsec VPN tunneling protocols.
An enterprise root CA certificate must be installed on the device before the device can request certificates by
using a SCEP certificate profile.
You can specify settings in a SCEP certificate profile to request customized certificates for different environments
or connectivity requirements. The Create Certificate Profile Wizard has two pages for enrollment parameters.
The first, SCEP Enrollment, includes settings for the enrollment request and where to install the certificate. The
second, Certificate Properties, describes the requested certificate itself.
Deploying certificate profiles

When you deploy a certificate profile, the certificate files within the profile are installed on client devices. Any
SCEP parameters are also deployed, and the SCEP requests are processed on the client device. You can deploy
certificate profiles to user or device collections and specify the destination store for each certificate. Applicability
rules determine whether the certificates can be installed on the device. When certificate profiles are deployed to
user collections, user device affinity determines which of the users' devices install the certificates. When
certificate profiles that include user certificates are deployed to device collections, by default the certificates are
installed on each of the users' primary devices. You can modify this behavior to install the certificate on any of the
users' devices on the SCEP Enrollment page of the Create Certificate Profile Wizard. If the devices are
workgroup computers, user certificates are not deployed.
Monitoring certificate profiles

You can monitor certificate profile deployments by viewing compliance results or reports. These approaches are
described in How to monitor certificate profiles.
Automatic revocation of certificates

System Center Configuration Manager automatically revokes user and computer certificates that were deployed
by using certificate profiles in the following circumstances:
The device is retired from System Center Configuration Manager management.
The device is selectively wiped.
The device is blocked from the System Center Configuration Manager hierarchy.
To revoke the certificates, the site server sends a revocation command to the issuing certification authority.
The reason for the revocation is Cease of Operation.
Create certificate profiles

Use certificate profiles in Configuration Manager (SCCM ) to provision managed devices with the certificates they
need to access company resources. Before creating certificate profiles, set up the certificate infrastructure as
described in Set up certificate infrastructure for System Center Configuration Manager.
This topic describes how to create trusted root and SCEP certificate profiles. If you want to create PFX certificate
profiles, see Create PFX certificate profiles.
To create a certificate profile:
1. Start the Create Certificate Profile Wizard.
2. Provide general information about the certificate.
3. Configure a trusted certificate authority (CA) certificate.
4. Configure SCEP certificate information (only for SCEP certificates).
5. Specify supported platforms for the certificate profile.
Start the Create Certificate Profile wizard

1. In the System Center Configuration Manager console, click Assets and Compliance.
2. In the Assets and Compliance workspace, expand Compliance Settings, expand Company Resource
Access, and then click Certificate Profiles.
3. On the Home tab, in the Create group, click Create Certificate Profile.
Provide general information about the certificate profile

On the General page of the Create Certificate Profile Wizard, specify the following information:
Name: Enter a unique name for the certificate profile. You can use a maximum of 256 characters.
Description: Provide a description that gives an overview of the certificate profile and other relevant
information that helps to identify it in the System Center Configuration Manager console. You can use a
maximum of 256 characters.
Specify the type of certificate profile that you want to create: Choose one of the following certificate
profile types:
Trusted CA certificate: Select this certificate profile type if you want to deploy a trusted root certification
authority (CA) or intermediate CA certificate to form a certificate chain of trust when the user or device
must authenticate another device. For example, the device might be a Remote Authentication Dial-In User
Service (RADIUS ) server or a virtual private network (VPN ) server. You must also configure a trusted CA
certificate profile before you can create a SCEP certificate profile. In this case, the trusted CA certificate
must be the trusted root certificate for the CA that will issue the certificate to the user or device.
Simple Certificate Enrollment Protocol (SCEP ) settings: Select this certificate profile type if you want
to request a certificate for a user or device, by using the Simple Certificate Enrollment Protocol and the
Network Device Enrollment Service role service.
Personal Information Exchange PKCS #12 (PFX) settings - Import: Select this to import a PFX
certificate. To learn more about PFX certificate creation see Import PFX certificate profiles.
Personal Information Exchange PKCS #12 (PFX) settings - Create: Select this to process PFX
certificates using a certificate authority. To learn more about PFX certificate creation see Create PFX
certificate profiles.
Configure a trusted CA certificate

IMPORTANT
You must configure at least one trusted CA certificate profile before you can create a SCEP certificate profile.
If you change any of these values after the certificate is deployed a new certificate is requested:
Key Storage Provide
Certificate template name
Certificate type
Subject name format
Subject alternative name
Certificate validity period
Key usage
Key size
Extended key usage
Root CA certificate
1. On the Trusted CA Certificate page of the Create Certificate Profile Wizard, specify the following
information:
Certificate file: Click Import and then browse to the certificate file that you want to use.
Destination store: For devices that have more than one certificate store, select where to store the
certificate. For devices that have only one store, this setting is ignored.
2. Use the Certificate thumbprint value to verify that you have imported the correct certificate.
Configure SCEP certificate information (only for SCEP certificates)

1. On the SCEP Servers page of the Create Certificate Profile Wizard, specify the URLs for the NDES Servers
that will issue certificates via SCEP. You can choose to automatically assign an NDES URL based on the
configuration of the Certificate Registration Point site system server, or add URLs manually.
2. Complete the SCEP Enrollment page of the Create Certificate Profile Wizard.
Retries: Specify the number of times that the device automatically retries the certificate request to
the server that is running the Network Device Enrollment Service. This setting supports the scenario
where a CA manager must approve a certificate request before it is accepted. This setting is typically
used for high-security environments or if you have a stand-alone issuing CA rather than an
enterprise CA. You might also use this setting for testing purposes so that you can inspect the
certificate request options before the issuing CA processes the certificate request. Use this setting
with the Retry delay (minutes) setting.
Retry delay (minutes): Specify the interval, in minutes, between each enrollment attempt when you
use CA manager approval before the issuing CA processes the certificate request. If you use
manager approval for testing purposes, you will probably want to specify a low value so that you are
not waiting a long time for the device to retry the certificate request after you approve the request.
However, if you use manager approval on a production network, you will probably want to specify a
higher value to allow sufficient time for the CA administrator to check and approve or deny pending
approvals.
Renewal threshold (%): Specify the percentage of the certificate lifetime that remains before the
device requests renewal of the certificate.
Key Storage Provider (KSP ): Specify where the key to the certificate will be stored. Choose from
one of the following values:
Install to Trusted Platform Module (TPM ) if present: Installs the key to the TPM. If the TPM is
not present, the key will be installed to the storage provider for the software key.
Install to Trusted Platform Module (TPM ) otherwise fail: Installs the key to the TPM. If the TPM
module is not present, the installation will fail.
Install to Windows Hello for Business otherwise fail: This option is available for Windows 10
Desktop and Mobile devices. It enrolls the key to Windows Hello for Business, described in
Windows Hello for Business settings in System Center Configuration Manager. This option also
enables you to Require multi-factor authentication during enrollment of devices before issuing
certificates to those devices. See Protect Windows devices with multi-factor authentication for more
information.
NOTE
When a user creates a Windows Hello for Business PIN, Windows sends a notification which Configuration Manager
listens for. This allows Configuration Manager to quickly become aware of which users have created a Windows Hello
PIN. Configuration Manager can then also issue new certificates to those users if Windows Hello is used as the Key
Storage Provider in a certificate profile.
Install to Software Key Storage Provider: Installs the key to the storage provider for the software
key.
Devices for certificate enrollment: If the certificate profile is deployed to a user collection, select
whether to allow certificate enrollment on only the user's primary device or on all devices that the
user logs on to. If the certificate profile is deployed to a device collection, select whether to allow
certificate enrollment for only the primary user of the device or for all users that log on to the device.
3. On the Certificate Properties page of the Create Certificate Profile Wizard, specify the following
information:
Certificate template name: Click Browse to select the name of a certificate template that the Network
Device Enrollment Service is configured to use and that has been added to an issuing CA. To successfully
browse to certificate templates, the user account that you are using to run the System Center
Configuration Manager console must have Read permission to the certificate template. Alternatively, if
you cannot use Browse, type the name of the certificate template.
IMPORTANT
If the certificate template name contains non-ASCII characters (for example, characters from the Chinese alphabet),
the certificate will not be deployed. To ensure that the certificate is deployed, you must first create a copy of the
certificate template on the CA and rename the copy by using ASCII characters.
Note the following, depending on whether you browse to the certificate template or type the certificate
name:
If you browse to select the name of the certificate template, some fields on the page are automatically
populated from the certificate template. In some cases, you cannot change these values unless you
choose a different certificate template.
If you type the name of the certificate template, make sure that the name exactly matches one of the
certificate templates that are listed in the registry of the server that is running the Network Device
Enrollment Service. Make sure that you specify the name of the certificate template and not the
display name of the certificate template.
To find the names of certificate templates, browse to the following key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MSCEP. You will see the certificate
templates listed as the values for EncryptionTemplate, GeneralPurposeTemplate, and
SignatureTemplate. By default, the value for all three certificate templates is IPSECIntermediateOffline,
which maps to the template display name of IPSec (Offline request).
WARNING
Because System Center Configuration Manager cannot verify the contents of the certificate template when you type
the name of the certificate template rather than browse, you might be able to select options that the certificate
template does not support and that will result in a failed certificate request. When this happens, you will see an error
message for w3wp.exe in the CPR.log file that the template name in the certificate signing request (CSR) and the
challenge do not match.
When you type the name of the certificate template that is specified for the GeneralPurposeTemplate value, you
must select the Key encipherment and the Digital signature options for this certificate profile. However, if you
want to enable only the Key encipherment option in this certificate profile, specify the certificate template name for
the EncryptionTemplate key. Similarly, if you want to enable only the Digital signature option in this certificate
profile, specify the certificate template name for the SignatureTemplate key.
Certificate type: Select whether the certificate will be deployed to a device or a user.
Subject name format: From the list, select how System Center Configuration Manager automatically
creates the subject name in the certificate request. If the certificate is for a user, you can also include the
user's email address in the subject name.
NOTE
Selecting IMEI number or Serial number enables you to differentiate between different devices that are owned by
the same user. For example, those devices could share a common name, but not an IMEI number or serial number. If
the device does not report an IMEI or serial number, the certificate will be issued with the common name.
Subject alternative name: Specify how System Center Configuration Manager automatically creates
the values for the subject alternative name (SAN ) in the certificate request. For example, if you selected a
user certificate type, you can include the user principal name (UPN ) in the subject alternative name. If the
client certificate will be used to authenticate to a Network Policy Server, you must set the subject
alternative name to the UPN.
NOTE
iOS devices support limited subject name formats and subject alternative names in SCEP certificates. If you specify
a format that is not supported, certificates will not be enrolled on iOS devices. When you configure a SCEP
certificate profile to be deployed to iOS devices, use the Common name for the Subject name format, and DNS
name, Email address or UPN for the Subject alternative name.
Certificate validity period: If you have run the certutil - setreg Policy\EditFlags
+EDITF_ATTRIBUTEENDDATE command on the issuing CA, which allows a custom validity period, you
can specify the amount of remaining time before the certificate expires. For more information about this
command, see Certificate infrastructure in System Center Configuration Manager topic.
You can specify a value that is lower than the validity period in the specified certificate template, but not
higher. For example, if the certificate validity period in the certificate template is two years, you can specify a
value of one year but not a value of five years. The value must also be lower than the remaining validity
period of the issuing CA's certificate.
Key usage: Specify key usage options for the certificate. You can choose from the following options:
Key encipherment: Allow key exchange only when the key is encrypted.
Digital signature: Allow key exchange only when a digital signature helps protect the key.
If you selected a certificate template by using Browse, you might not be able to change these settings
unless you select a different certificate template.
The certificate template you selected must be configured with one or both of the two key usage options
above. If it is not, you will see the message Key usage in CSR and challenge do not match in the
certificate registration point log file, Crp.log.
Key size (bits): Select the size of the key in bits.
Extended key usage: Click Select to add values for the certificate's intended purpose. In most cases, the
certificate will require Client Authentication so that the user or device can authenticate to a server.
However, you can add any other key usages as required.
Hash algorithm: Select one of the available hash algorithm types to use with this certificate. Select the
strongest level of security that the connecting devices support.
NOTE
SHA-2 supports SHA-256, SHA-384, and SHA-512. SHA-3 supports only SHA-3.
Root CA certificate: Click Select to choose a root CA certificate profile that you have previously
configured and deployed to the user or device. This CA certificate must be the root certificate for the CA
that will issue the certificate that you are configuring in this certificate profile.
IMPORTANT
If you specify a root CA certificate that is not deployed to the user or device, System Center Configuration Manager
will not initiate the certificate request that you are configuring in this certificate profile.
Specify supported platforms for the certificate profile

1. On the Supported Platforms page of the Create Certificate Profile Wizard, select the operating systems
where you want to install the certificate profile. Or, click Select all to install the certificate profile to all available
operating systems.
2. Review the Summary page of the wizard and choose Finish.
The new certificate profile appears in the Certificate Profiles node in the Assets and Compliance workspace
and is ready to be deployed to users or devices as described in How to deploy profiles in System Center
Configure certificate infrastructure

Learn to configure certificate infrastructure in System Center Configuration Manager. Before you start, check for
any prerequisites that are listed in Prerequisites for certificate profiles in System Center Configuration Manager.
Use these steps to configure your infrastructure for SCEP, or PFX certificates.
Step 1 - Install and Configure the Network Device Enrollment Service

and Dependencies (for SCEP certificates only)
You must install and configure the Network Device Enrollment Service role service for Active Directory Certificate
Services (AD CS ), change the security permissions on the certificate templates, deploy a public key infrastructure
(PKI) client authentication certificate, and edit the registry to increase the Internet Information Services (IIS )
default URL size limit. If necessary, you must also configure the issuing certification authority (CA) to allow a
custom validity period.
IMPORTANT
Before you configure System Center Configuration Manager to work with the Network Device Enrollment Service, verify the
installation and configuration of the Network Device Enrollment Service. If these dependencies are not working correctly, you
will have difficulty troubleshooting certificate enrollment by using System Center Configuration Manager.
To install and configure the Network Device Enrollment Service and dependencies
1. On a server that is running Windows Server 2012 R2, install and configure the Network Device Enrollment
Service role service for the Active Directory Certificate Services server role. For more information, see
Network Device Enrollment Service Guidance in the Active Directory Certificate Services library on
TechNet.
2. Check, and if necessary, modify the security permissions for the certificate templates that the Network
Device Enrollment Service is using:
For the account that runs the System Center Configuration Manager console: Read permission.
This permission is required so that when you run the Create Certificate Profile Wizard, you can
browse to select the certificate template that you want to use when you create a SCEP settings
profile. Selecting a certificate template means that some settings in the wizard are automatically
populated, so there is less for you to configure and there is less risk of selecting settings that are not
compatible with the certificate templates that the Network Device Enrollment Service is using.
For the SCEP Service account that the Network Device Enrollment Service application pool uses:
Read and Enroll permissions.
This requirement is not specific to System Center Configuration Manager but is part of configuring
the Network Device Enrollment Service. For more information, see Network Device Enrollment
Service Guidance in the Active Directory Certificate Services library on TechNet.
TIP
To identify which certificate templates the Network Device Enrollment Service is using, view the following registry key
on the server that is running the Network Device Enrollment Service:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MSCEP.
NOTE
These are the default security permissions that will be appropriate for most environments. However, you can use an
alternative security configuration. For more information, see Planning for certificate template permissions for
certificate profiles in System Center Configuration Manager.
3. Deploy to this server a PKI certificate that supports client authentication. You might already have a suitable
certificate installed on the computer that you can use, or you might have to (or prefer to) deploy a
certificate specifically for this purpose. For more information about the requirements for this certificate,
refer to the details for Servers running the Configuration Manager Policy Module with the Network Device
Enrollment Service role service in the** PKI Certificates for Servers** section in the PKI certificate
requirements for System Center Configuration Manager topic.
TIP
If you need help deploying this certificate, you can use the instructions for Deploying the Client Certificate for
Distribution Points, because the certificate requirements are the same with one exception:
Do not select the Allow private key to be exported check box on the Request Handling tab of the
properties for the certificate template.
You do not have to export this certificate with the private key because you will be able to browse to the local
Computer store and select it when you configure the System Center Configuration Manager Policy Module.
4. Locate the root certificate that the client authentication certificate chains to. Then, export this root CA
certificate to a certificate (.cer) file. Save this file to a secured location that you can securely access when
you later install and configure the site system server for the certificate registration point.
5. On the same server, use the registry editor to increase the IIS default URL size limit by setting the following
registry key DWORD values in
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters:
Set the MaxFieldLength key to 65534.
Set the MaxRequestBytes key to 16777216.
For more information, see article 820129: Http.sys registry settings for Windows in the Microsoft
Knowledge Base.
6. On the same server, in Internet Information Services (IIS ) Manager, modify the request-filtering settings for
the /certsrv/mscep application, and then restart the server. In the Edit Request Filtering Settings dialog
box, the Request Limits settings should be as follows:
Maximum allowed content length (Bytes): 30000000
Maximum URL length (Bytes): 65534
Maximum query string (Bytes): 65534
For more information about these settings and how to configure them, see Requests Limits in the IIS
Reference Library.
7. If you want to be able to request a certificate that has a lower validity period than the certificate template
that you are using: This configuration is disabled by default for an enterprise CA. To enable this option on
an enterprise CA, use the Certutil command-line tool, and then stop and restart the certificate service by
using the following commands:
a. certutil - setreg Policy\EditFlags +EDITF_ATTRIBUTEENDDATE
b. net stop certsvc
c. net start certsvc
For more information, see Certificate Services Tools and Settings in the PKI Technologies library on
TechNet.
8. Verify that the Network Device Enrollment Service is working by using the following link as an example:
https://server.contoso.com/certsrv/mscep/mscep.dll. You should see the built-in Network Device
Enrollment Service webpage. This webpage explains what the service is and explains that network devices
use the URL to submit certificate requests.
Now that the Network Device Enrollment Service and dependencies are configured, you are ready to install
and configure the certificate registration point.
Step 2 - Install and configure the certificate registration point.

You must install and configure at least one certificate registration point in the System Center Configuration
Manager hierarchy, and you can install this site system role in the central administration site or in a primary site.
IMPORTANT
Before you install the certificate registration point, see the Site System Requirements section in the Supported
configurations for System Center Configuration Manager topic for operating system requirements and dependencies for the
certificate registration point.
To i n st a l l a n d c o n fi g u r e t h e c e r t i fi c a t e r e g i st r a t i o n p o i n t
1. In the System Center Configuration Manager console, click Administration.

2. In the Administration workspace, expand Site Configuration, click Servers and Site System Roles, and
then select the server that you want to use for the certificate registration point.
3. On the Home tab, in the Server group, click Add Site System Roles.
4. On the General page, specify the general settings for the site system, and then click Next.
5. On the Proxy page, click Next. The certificate registration point does not use Internet proxy settings.
6. On the System Role Selection page, select Certificate registration point from the list of available roles,
and then click Next.
7. On the Certificate Registration Mode page, select whether you want this certificate registration point to
Process SCEP certificate requests, or Process PFX certificate requests. A certificate registration point
cannot process both kinds of requests, but you can create multiple certificate registration points if you are
working with both certificate types.
If processing PFX certificates, you'll need to choose a certificate authority, either Microsoft or Entrust.
8. The Certificate Registration Point Settings page varies according to the certificate type:
If you selected Process SCEP certificate requests, then configure the following:
Website name, HTTPS port number, and Virtual application name for the certificate
registration point. These fields are filled in automatically with default values.
URL for the Network Device Enrollment Service and root CA certificate - Click Add, then
in the Add URL and Root CA Certificate dialog box, specify the following:
URL for the Network Device Enrollment Service: Specify the URL in the following
format: https://<server_FQDN>/certsrv/mscep/mscep.dll. For example, if the FQDN of
your server that is running the Network Device Enrollment Service is
server1.contoso.com, type https://server1.contoso.com/certsrv/mscep/mscep.dll.
Root CA Certificate: Browse to and select the certificate (.cer) file that you created and
saved in Step 1: Install and configure the Network Device Enrollment Service and
dependencies. This root CA certificate allows the certificate registration point to validate
the client authentication certificate that the System Center Configuration Manager Policy
Module will use.
If you selected Process PFX certificate requests, you configure the connection details and
credentials for the selected certificate authority.
To use Microsoft as the certificate authority, click Add then in the Add a Certificate
Authority and Account dialog box, specify the following:
Certificate Authority Server Name - Enter the name of your certificate authority server.
Certificate Authority Account - Click Set to select, or create the account that has
permissions to enroll in templates on the certification authority.
Certificate Registration Point Connection Account - Select or create the account that
connects the certificate registration point to the Configuration Manager database.
Alteratively, you can use the local computer account of the computer hosting the certificate
registration point.
Active Directory Certificate Publishing Account - Select an account, or create a
new account that will be used to publish certificates to user objects in Active Directory.
In the URL for the Network Device Enrollment and root CA certificate dialog
box, specify the following, and then click OK:
To use Entrust as the certificate authority, specify:
The MDM web service URL
The username and password credentials for the URL.
When using the MDM API to define the Entrust web service URL, be sure to use at
least version 9 of the API, as shown in the following sample:
https://entrust.contoso.com:19443/mdmws/services/AdminServiceV9
Earlier versions of the API do not support Entrust.

9. Click Next and complete the wizard.
10. Wait a few minutes to let the installation finish, and then verify that the certificate registration point was
installed successfully by using any of the following methods:
In the Monitoring workspace, expand System Status, click Component Status, and look for status
messages from the SMS_CERTIFICATE_REGISTRATION_POINT component.
On the site system server, use the <ConfigMgr Installation Path>\Logs\crpsetup.log file and
<ConfigMgr Installation Path>\Logs\crpmsi.log file. A successful installation will return an exit code
of 0.
By using a browser, verify that you can connect to the URL of the certificate registration pointâ€”for
example, https://server1.contoso.com/CMCertificateRegistration. You should see a Server Error
page for the application name, with an HTTP 404 description.
11. Locate the exported certificate file for the root CA that the certificate registration point automatically
created in the following folder on the primary site server computer: <ConfigMgr Installation
Path>\inboxes\certmgr.box. Save this file to a secured location that you can securely access when you later
install the System Center Configuration Manager Policy Module on the server that is running the Network
Device Enrollment Service.
TIP
This certificate is not immediately available in this folder. You might need to wait awhile (for example, half an hour)
before System Center Configuration Manager copies the file to this location.
Step 3 - Install the System Center Configuration Manager Policy

Module (for SCEP certificates only).
You must install and configure the System Center Configuration Manager Policy Module on each server that you
specified in Step 2: Install and configure the certificate registration point as URL for the Network Device
Enrollment Service in the properties for the certificate registration point.
To i n st a l l t h e P o l i c y M o d u l e
1. On the server that runs the Network Device Enrollment Service, log on as a domain administrator and
copy the following files from the <ConfigMgrInstallationMedia>\SMSSETUP\POLICYMODULE\X64
folder on the System Center Configuration Manager installation media to a temporary folder:
PolicyModule.msi
PolicyModuleSetup.exe
In addition, if you have a LanguagePack folder on the installation media, copy this folder and its contents.
2. From the temporary folder, run PolicyModuleSetup.exe to start the System Center Configuration Manager
Policy Module Setup wizard.
3. On the initial page of the wizard, click Next, accept the license terms, and then click Next.
4. On the Installation Folder page, accept the default installation folder for the policy module or specify an
alternative folder, and then click Next.
5. On the Certificate Registration Point page, specify the URL of the certificate registration point by using
the FQDN of the site system server and the virtual application name that is specified in the properties for
the certificate registration point. The default virtual application name is CMCertificateRegistration. For
example, if the site system server has an FQDN of server1.contoso.com and you used the default virtual
application name, specify https://server1.contoso.com/CMCertificateRegistration.
6. Accept the default port of 443 or specify the alternative port number that the certificate registration point is
using, and then click Next.
7. On the Client Certificate for the Policy Modulepage, browse to and specify the client authentication
certificate that you deployed in Step 1: Install and configure the Network Device Enrollment Service
and dependencies, and then click Next.
8. On the Certificate Registration Point Certificate page, click Browse to select the exported certificate file
for the root CA that you located and saved at the end of Step 2: Install and configure the certificate
registration point.
NOTE
If you did not previously save this certificate file, it is located in the <ConfigMgr Installation
Path>\inboxes\certmgr.box on the site server computer.
9. Click Next and complete the wizard.

If you want to uninstall the System Center Configuration Manager Policy Module, use Programs and
Features in Control Panel.
Now that you have completed the configuration steps, you are ready to deploy certificates to users and devices by
creating and deploying certificate profiles. For more information about how to create certificate profiles, see How
to create certificate profiles in System Center Configuration Manager.
Cryptographic controls technical reference

System Center Configuration Manager uses signing and encryption to help protect the management of the devices
in the Configuration Manager hierarchy. With signing, if data has been altered in transit, it's discarded. Encryption
helps prevent an attacker from reading the data by using a network protocol analyzer.
The primary hashing algorithm that Configuration Manager uses for signing is SHA-256. When two Configuration
Manager sites communicate with each other, they sign their communications with SHA-256. The primary
encryption algorithm implemented in Configuration Manager is 3DES. This is used for storing data in the
Configuration Manager database and for client HTTP communication. When you use client communication over
HTTPS, you can configure your public key infrastructure (PKI) to use RSA certificates with the maximum hashing
algorithms and key lengths that are documented in PKI certificate requirements for System Center Configuration
Manager.
For most cryptographic operations for Windows-based operating systems, Configuration Manager uses SHA-2,
3DES and AES, and RSA algorithms from the Windows CryptoAPI library rsaenh.dll.
IMPORTANT
See information about recommended changes in response to SSL vulnerabilities in About SSL Vulnerabilities.
Cryptographic controls for Configuration Manager operations

Information in Configuration Manager can be signed and encrypted, whether or not you use PKI certificates with
Policy signing and encryption
Client policy assignments are signed by the self-signed site server signing certificate to help prevent the security
risk of a compromised management point sending policies that have been tampered with. This is important if you
are using Internet-based client management because this environment requires a management point that is
exposed to Internet communication.
Policy is encrypted with 3DES when it contains sensitive data. Policy that contains sensitive data is sent to
authorized clients only. Policy that does not have sensitive data is not encrypted.
When policy is stored on the clients, it is encrypted with Data Protection application programming interface
(DPAPI).
Policy hashing
When Configuration Manager clients request policy, they first get a policy assignment so that they know which
policies apply to them, and then they request only those policy bodies. Each policy assignment contains the
calculated hash for the corresponding policy body. The client retrieves the applicable policy bodies and then
calculates the hash on that body. If the hash on the downloaded policy body does not match the hash in the policy
assignment, the client discards the policy body.
The hashing algorithm for policy is SHA-1 and SHA-256.
Content hashing
The distribution manager service on the site server hashes the content files for all packages. The policy provider
includes the hash in the software distribution policy. When the Configuration Manager client downloads the
content, the client regenerates the hash locally and compares it to the one supplied in the policy. If the hashes
match, the content has not been altered and the client installs it. If a single byte of the content has been altered, the
hashes will not match and the software will not be installed. This check helps to ensure that the correct software is
installed because the actual content is crosschecked with the policy.
The default hashing algorithm for content is SHA-256. To change this default, see the documentation for the
Configuration Manager Software Development Kit (SDK).
Not all devices can support content hashing. The exceptions include:
Windows clients when they stream App-V content.
Windows Phone clients, though these clients verify the signature of an application that is signed by a trusted
source.
Windows RT client, though these clients verify the signature of an application that is signed by a trusted
source and also use package full name (PFN ) validation.
iOS, though these devices verify the signature of an application that is signed by any developer certificate
from a trusted source.
Nokia client, though, these clients verify the signature of an application that uses a self-signed certificate. Or,
the signature of a certificate from a trusted source and the certificate can sign Nokia Symbian Installation
Source (SIS ) applications.
Android. In addition, these devices do not use signature validation for application installation.
Clients that run on versions of Linux and UNIX that do not support SHA-256. For more information, see
Planning for client deployment to Linux and UNIX computers in System Center Configuration Manager.
Inventory signing and encryption
Inventory that clients send to management points is always signed by devices, regardless of whether they
communicate with management points over HTTP or HTTPS. If they use HTTP, you can choose to encrypt this
data, which is a security best practice.
State migration encryption
Data stored on state migration points for operating system deployment is always encrypted by the User State
Migration Tool (USMT) by using 3DES.
Encryption for multicast packages to deploy operating systems
For every operating system deployment package, you can enable encryption when the package is transferred to
computers by using multicast. The encryption uses Advanced Encryption Standard (AES ). If you enable encryption,
no additional certificate configuration is required. The multicast-enabled distribution point automatically generates
symmetric keys for encrypting the package. Each package has a different encryption key. The key is stored on the
multicast-enabled distribution point by using standard Windows APIs. When the client connects to the multicast
session, the key exchange occurs over a channel encrypted with either the PKI-issued client authentication
certificate (when the client uses HTTPS ) or the self-signed certificate (when the client uses HTTP ). The client stores
the key in memory only for the duration of the multicast session.
Encryption for media to deploy operating systems
When you use media to deploy operating systems and specify a password to protect the media, the environment
variables are encrypted by using Advanced Encryption Standard (AES ). Other data on the media, including
packages and content for applications, is not encrypted.
Encryption for content that is hosted on cloud-based distribution points
Beginning with System Center 2012 Configuration Manager SP1, when you use cloud-based distribution points,
the content that you upload to these distribution points is encrypted by using Advanced Encryption Standard (AES )
with a 256-bit key size. The content is re-encrypted whenever you update it. When clients download the content, it
is encrypted and protected by the HTTPS connection.
Signing in software updates
All software updates must be signed by a trusted publisher to protect against tampering. On client computers, the
Windows Update Agent (WUA) scans for the updates from the catalog, but will not install the update if it cannot
locate the digital certificate in the Trusted Publishers store on the local computer. If a self-signed certificate was
used for publishing the updates catalog, such as WSUS Publishers Self-signed, the certificate must also be in the
Trusted Root Certification Authorities certificate store on the local computer to verify the validity of the certificate.
WUA also checks whether the Allow signed content from intranet Microsoft update service location Group
Policy setting is enabled on the local computer. This policy setting must be enabled for WUA to scan for the
updates that were created and published with Updates Publisher.
When software updates are published in System Center Updates Publisher, a digital certificate signs the software
updates when they are published to an update server. You can either specify a PKI certificate or configure Updates
Publisher to generate a self-signed certificate to sign the software update.
Signed configuration data for compliance settings
When you import configuration data, Configuration Manager verifies the file's digital signature. If the files have not
been signed, or if the digital signature verification check fails, you will be warned and prompted whether to
continue with the import. Continue to import the configuration data only if you explicitly trust the publisher and
the integrity of the files.
Encryption and hashing for client notification
If you use client notification, all communication uses TLS and the highest encryption that the server and client
operating systems can negotiate. For example, a client computer running Windows 7 and a management point
running Windows Server 2008 R2 can support 128-bit AES encryption, whereas a client computer running Vista
to the same management point but will negotiate down to 3DES encryption. The same negotiation occurs for
hashing the packets that are transferred during client notification, which uses SHA-1 or SHA-2.
Certificates used by Configuration Manager

For a list of the public key infrastructure (PKI) certificates that can be used by Configuration Manager, any special
requirements or limitations, and how the certificates are used, see PKI certificate requirements for System Center
Configuration Manager. This list includes the supported hash algorithms and key lengths. Most certificates support
SHA-256 and 2048 bits key length.
NOTE
All certificates that Configuration Manager uses must contain only single-byte characters in the subject name or subject
alternative name.
PKI certificates are required for the following scenarios:

When you manage Configuration Manager clients on the Internet.
When you manage Configuration Manager clients on mobile devices.
When you manage Mac computers.
When you use cloud-based distribution points.
When you manage Intel AMT-based computers out of band.
For most other Configuration Manager communications that require certificates for authentication, signing,
or encryption, Configuration Manager automatically uses PKI certificates if they are available. If they are not
available, Configuration Manager generates self-signed certificates.
Configuration Manager does not use PKI certificates when it manages mobile devices by using the
Exchange Server connector.
Mobile device management and PKI certificates
If the mobile device has not been locked by the mobile operator, you can use Configuration Manager or Microsoft
Intune to request and install a client certificate. This certificate provides mutual authentication between the client
on the mobile device and Configuration Manager site systems or Microsoft Intune services. If your mobile device is
locked, you cannot use Configuration Manager or Intune to deploy certificates.
If you enable hardware inventory for mobile devices, Configuration Manager or Intune also inventories the
certificates that are installed on the mobile device.
Operating system deployment and PKI certificates
When you use Configuration Manager to deploy operating systems and a management point requires HTTPS
client connections, the client computer must also have a certificate to communicate with the management point,
even though it is in a transitional phase such as booting from task sequence media or a PXE -enabled distribution
point. To support this scenario, you must create a PKI client authentication certificate and export it with the private
key and then import it to the site server properties and also add the management pointâ€™s trusted root CA
certificate.
If you create bootable media, you import the client authentication certificate when you create the bootable media.
Configure a password on the bootable media to help protect the private key and other sensitive data configured in
the task sequence. Every computer that boots from the bootable media will present the same certificate to the
management point as required for client functions such as requesting client policy.
If you use PXE boot, you import the client authentication certificate to the PXE -enabled distribution point and it
uses the same certificate for every client that boots from that PXE -enabled distribution point. As a security best
practice, require users who connect their computers to a PXE service to supply a password to help protect the
private key and other sensitive data in the task sequences.
If either of these client authentication certificates is compromised, block the certificates in the Certificates node in
the Administration workspace, Security node. To manage these certificates, you must have the Manage
operating system deployment certificate right.
After the operating system is deployed and the Configuration Manager is installed, the client will require its own
PKI client authentication certificate for HTTPS client communication.
ISV proxy solutions and PKI certificates
Independent Software Vendors (ISVs) can create applications that extend Configuration Manager. For example, an
ISV could create extensions to support non-Windows client platforms such as Macintosh or UNIX computers.
However, if the site systems require HTTPS client connections, these clients must also use PKI certificates for
communication with the site. Configuration Manager includes the ability to assign a certificate to the ISV proxy
that enables communications between the ISV proxy clients and the management point. If you use extensions that
require ISV proxy certificates, consult the documentation for that product. For more information about how to
create ISV proxy certificates, see the Configuration Manager Software Developer Kit (SDK).
If the ISV certificate is compromised, block the certificate in the Certificates node in the Administration
workspace, Security node.
Asset intelligence and certificates
Configuration Manager installs with an X.509 certificate that the Asset Intelligence synchronization point uses to
connect to Microsoft. Configuration Manager uses this certificate to request a client authentication certificate from
the Microsoft certificate service. The client authentication certificate is installed on the Asset Intelligence
synchronization point site system server and it is used to authenticate the server to Microsoft. Configuration
Manager uses the client authentication certificate to download the Asset Intelligence catalog and to upload
software titles.
This certificate has a key length of 1024 bits.
Cloud-based distribution points and certificates
Beginning with System Center 2012 Configuration Manager SP1, cloud-based distribution points require a
management certificate (self-signed or PKI) that you upload to Microsoft Azure. This management certificate
requires server authentication capability and a certificate key length of 2048 bits. In addition, you must configure a
service certificate for each cloud-based distribution point, which cannot be self-signed but also has server
authentication capability and a minimum certificate key length of 2048 bits.
NOTE
The self-signed management certificate is for testing purposes only and not for use on production networks.
Clients do not require a client PKI certificate to use cloud-based distribution points; they authenticate to the
management by using either a self-signed certificate or a client PKI certificate. The management point then issues a
Configuration Manager access token to the client, which the client presents to the cloud-based distribution point.
The token is valid for 8 hours.
The Microsoft Intune Connector and certificates
When Microsoft Intune enrolls mobile devices, you can manage these mobile devices in Configuration Manager by
creating a Microsoft Intune connector. The connector uses a PKI certificate with client authentication capability to
authenticate Configuration Manager to Microsoft Intune and to transfer all information between them by using
SSL. The certificate key size is 2048 bits and uses the SHA-1 hash algorithm.
When you install the connector, a signing certificate is created and stored on the site server for sideloading keys,
and an encryption certificate is created and stored on the certificate registration point to encrypt the Simple
Certificate Enrollment Protocol (SCEP ) challenge. These certificates also have a key size of 2048 bits and use the
SHA-1 hash algorithm.
When Intune enrolls mobile devices, it installs a PKI certificate onto the mobile device. This certificate has client
authentication capability, uses a key size of 2048 bits, and uses the SHA-1 hash algorithm.
These PKI certificates are automatically requested, generated, and installed by Microsoft Intune.
CRL checking for PKI certificates
A PKI certificate revocation list (CRL ) increases administrative and processing overhead but it is more secure.
However, if CRL checking is enabled but the CRL is inaccessible, the PKI connection fails. For more information,
see Security and privacy for System Center Configuration Manager.
Certificate revocation list (CRL ) checking is enabled by default in IIS, so if you are using a CRL with your PKI
deployment, there is nothing additional to configure on most Configuration Manager site systems that run IIS. The
exception is for software updates, which requires a manual step to enable CRL checking to verify the signatures on
software update files.
CRL checking is enabled by default for client computers when they use HTTPS client connections. CRL checking is
not enabled by default when you run the Out of Band Management console to connect to AMT-based computer,
and you can enable this option. You cannot disable CRL checking for clients on Mac computers in Configuration
Manager SP1 or later.
CRL checking is not supported for the following connections in Configuration Manager:
Server-to-server connections.
Mobile devices that are enrolled by Configuration Manager.
Mobile devices that are enrolled by Microsoft Intune.
Cryptographic controls for server communication

Configuration Manager uses the following cryptographic controls for server communication.
Server communication within a site
Each site system server uses a certificate to transfer data to other site systems in the same Configuration Manager
site. Some site system roles also use certificates for authentication. For example, if you install the enrollment proxy
point on one server and the enrollment point on another server, they can authenticate one another by using this
identity certificate. When Configuration Manager uses a certificate for this communication, if there is a PKI
certificate available that has server authentication capability, Configuration Manager automatically uses it; if not,
Configuration Manager generates a self-signed certificate. This self-signed certificate has server authentication
capability, uses SHA-256, and has a key length of 2048 bits. Configuration Manager copies the certificate to the
Trusted People store on other site system servers that might need to trust the site system. Site systems can then
trust one another by using these certificates and PeerTrust.
In addition to this certificate for each site system server, Configuration Manager generates a self-signed certificate
for most site system roles. When there is more than one instance of the site system role in the same site, they share
the same certificate. For example, you might have multiple management points or multiple enrollment points in the
same site. This self-signed certificate also uses SHA-256 and has a key length of 2048 bits. It is also copied to the
Trusted People Store on site system servers that might need to trust it. The following site system roles generate this
certificate:
Application Catalog web service point
Application Catalog website point
Asset Intelligence synchronization point
Certificate registration point
Endpoint Protection point
Enrollment point
Fallback status point
Management point
Multicast-enabled distribution point
Out of band service point
Reporting services point
Software update point
State migration point
System Health Validator point
Microsoft Intune connector
These certificates are managed automatically by Configuration Manager, and where necessary,
automatically generated.
Configuration Manager also uses a client authentication certificate to send status messages from the
distribution point to the management point. When the management point is configured for HTTPS client
connections only, you must use a PKI certificate. If the management point accepts HTTP connections, you
can use a PKI certificate or select the option to use a self-signed certificate that has client authentication
capability, uses SHA-256, and has a key length of 2048 bits.
Server communication between sites
Configuration Manager transfers data between sites by using database replication and file-based replication. For
more information, see Communications between endpoints in System Center Configuration Manager.
Configuration Manager automatically configures the database replication between sites and uses PKI certificates
that have server authentication capability if these are available; if not, Configuration Manager creates self-signed
certificates for server authentication. In both cases, authentication between sites is established by using certificates
in the Trusted People Store that uses PeerTrust. This certificate store is used to ensure that only the SQL Server
computers that are used by the Configuration Manager hierarchy participate in site-to-site replication. Whereas
primary sites and the central administration site can replicate configuration changes to all sites in the hierarchy,
secondary sites can replicate configuration changes only to their parent site.
Site servers establish site-to-site communication by using a secure key exchange that happens automatically. The
sending site server generates a hash and signs it with its private key. The receiving site server checks the signature
by using the public key and compares the hash with a locally generated value. If they match, the receiving site
accepts the replicated data. If the values do not match, Configuration Manager rejects the replication data.
Database replication in Configuration Manager uses the SQL Server Service Broker to transfer data between sites
by using the following mechanisms:
SQL Server to SQL Server connection: This uses Windows credentials for server authentication and self-
signed certificates with 1024 bits to sign and encrypt the data by using Advanced Encryption Standard
(AES ). If PKI certificates with server authentication capability are available, these will be used. The certificate
must be located in the Personal store for the Computer certificate store.
SQL Service Broker: This uses self-signed certificates with 2048 bits for authentication and to sign and
encrypt the data by using Advanced Encryption Standard (AES ). The certificate must be located in the SQL
Server master database.
File-based replication uses the Server Message Block (SMB ) protocol, and uses SHA-256 to sign this data
that is not encrypted but does not contain any sensitive data. If you want to encrypt this data, you can use
IPsec and must implement this independently from Configuration Manager.
Cryptographic controls for clients that use HTTPS communication to

site systems
When site system roles accept client connections, you can configure them to accept HTTPS and HTTP connections,
or only HTTPS connections. Site system roles that accept connections from the Internet only accept client
connections over HTTPS.
Client connections over HTTPS offer a higher level of security by integrating with a public key infrastructure (PKI)
to help protect client-to-server communication. However, configuring HTTPS client connections without a
thorough understanding of PKI planning, deployment, and operations could still leave you vulnerable. For example,
if you do not secure your root CA, attackers could compromise the trust of your entire PKI infrastructure. Failing to
deploy and manage the PKI certificates by using controlled and secured processes might result in unmanaged
clients that cannot receive critical software updates or packages.
IMPORTANT
The PKI certificates that are used for client communication protect the communication only between the client and some site
systems. They do not protect the communication channel between the site server and site systems or between site servers.
Communication that is unencrypted when clients use HTTPS communication

When clients communicate with site systems by using HTTPS, communications are usually encrypted over SSL.
However, in the following situations, clients communicate with site systems without using encryption:
Client fails to make an HTTPS connection on the intranet and fall back to using HTTP when site systems
allow this configuration
Communication to the following site system roles:
Client sends state messages to the fallback status point
Client sends PXE requests to a PXE -enabled distribution point
Client sends notification data to a management point
Reporting services points are configured to use HTTP or HTTPS independently from the client
communication mode.
Cryptographic controls for clients chat use HTTP communication to site

systems
When clients use HTTP communication to site system roles, they can use PKI certificates for client authentication,
or self-signed certificates that Configuration Manager generates. When Configuration Manager generates self-
signed certificates, they have a custom object identifier for signing and encryption, and these certificates are used
to uniquely identify the client. For all supported operating systems except Windows Server 2003, these self-signed
certificates use SHA-256, and have a key length of 2048 bits. For Windows Server 2003, SHA1 is used with a key
length of 1024 bits.
Operating system deployment and self-signed certificates
When you use Configuration Manager to deploy operating systems with self-signed certificates, a client computer
must also have a certificate to communicate with the management point, even if the computer is in a transitional
phase such as booting from task sequence media or a PXE -enabled distribution point. To support this scenario for
HTTP client connections, Configuration Manager generates self-signed certificates that have a custom object
identifier for signing and encryption, and these certificates are used to uniquely identify the client. For all
supported operating systems except Windows Server 2003, these self-signed certificates use SHA-256, and have a
key length of 2048 bits. For Windows Server 2003, SHA1 is used with a key length of 1024 bits.. If these self-
signed certificates are compromised, to prevent attackers from using them to impersonate trusted clients, block the
certificates in the Certificates node in the Administration workspace, Security node.
Client and server authentication
When clients connect over HTTP, they authenticate the management points by using either Active Directory
Domain Services or by using the Configuration Manager trusted root key. Clients do not authenticate other site
system roles, such as state migration points or software update points.
When a management point first authenticates a client by using the self-signed client certificate, this mechanism
provides minimal security because any computer can generate a self-signed certificate. In this scenario, the client
identity process must be augmented by approval. Only trusted computers must be approved, either automatically
by Configuration Manager, or manually, by an administrative user. For more information, see the approval section
in Communications between endpoints in System Center Configuration Manager.
About SSL vulnerabilities
To improve the security of your Configuration Manager clients and servers, do the following:
Enable TLS 1.2
To enable TLS 1.2 for Configuration Manager, see the following KB article: How to enable TLS 1.2 for
Disable SSL 3.0, TLS 1.0, and TLS 1.1
Reorder the TLS -related cipher suites
For more information, see How to restrict the use of certain cryptographic algorithms and protocols in Schannel.dll
and Prioritizing Schannel Cipher Suites. These procedures do not affect Configuration Manager functionality.
Endpoint Protection

Endpoint Protection manages antimalware policies and Windows Firewall security for client computers in your
IMPORTANT
You must be licensed to use Endpoint Protection to manage clients in your Configuration Manager hierarchy.
When you use Endpoint Protection with Configuration Manager, you have the following benefits:
Configure antimalware policies, Windows Firewall settings, and manage Windows Defender Advanced Threat
Protection to selected groups of computers
Use Configuration Manager software updates to download the latest antimalware definition files to keep client
computers up-to-date
Send email notifications, use in-console monitoring, and view reports. These actions inform administrative
users when malware is detected on client computers.
Beginning with Windows 10 and Windows Server 2016 computers, Windows Defender is already installed. For
these operating systems, a management client for Windows Defender is installed when the Configuration
Manager client installs. On Windows 8.1 and earlier computers, the Endpoint Protection client is installed with the
Configuration Manager client. Windows Defender and the Endpoint Protection client have the following
capabilities:
Malware and spyware detection and remediation
Rootkit detection and remediation
Critical vulnerability assessment and automatic definition and engine updates
Network vulnerability detection through Network Inspection System
Integration with Cloud Protection Service to report malware to Microsoft. When you join this service, the
Endpoint Protection client or Windows Defender downloads the latest definitions from the Malware Protection
Center when unidentified malware is detected on a computer.
NOTE
The Endpoint Protection client can be installed on a server that runs Hyper-V and on guest virtual machines with supported
operating systems. To prevent excessive CPU usage, Endpoint Protection actions have a built-in randomized delay so that
protection services do not run simultaneously.
In addition, you manage Windows Firewall settings with Endpoint Protection in the Configuration Manager
console.
Example scenario: Using System Center Endpoint Protection to protect computers from malware in System Center
Configuration Manager Endpoint Protection and the Windows Firewall.
Managing Malware with Endpoint Protection

Endpoint Protection in Configuration Manager allows you to create antimalware policies that contain settings for
Endpoint Protection client configurations. Deploy these antimalware policies to client computers. Then monitor
compliance in the Endpoint Protection Status node under Security in the Monitoring workspace. Also use
Endpoint Protection reports in the Reporting node.
Additional information:
How to create and deploy antimalware policies for Endpoint Protection in System Center Configuration
Manager - Create, deploy, and monitor antimalware policies with a list of the settings that you can configure
How to monitor Endpoint Protection in System Center Configuration Manager - Monitoring activity
reports, infected client computers, and more.
How to manage antimalware policies and firewall settings for Endpoint Protection in System Center
Configuration Manager - Remediate malware found on client computers
Managing Windows Firewall with Endpoint Protection

Endpoint Protection in Configuration Manager provides basic management of the Windows Firewall on client
computers. For each network profile, you can configure the following settings:
Enable or disable the Windows Firewall.
Block incoming connections, including those in the list of allowed programs.
Notify the user when Windows Firewall blocks a new program.
NOTE
Endpoint Protection supports managing the Windows Firewall only.
For more information, see How to create and deploy Windows Firewall policies for Endpoint Protection.

Endpoint Protection manages and monitors Windows Defender Advanced Threat Protection (ATP ). The Windows
Defender ATP service helps enterprises detect, investigate, and respond to advanced attacks on the corporate
network. For more information, see Windows Defender Advanced Threat Protection.
Endpoint Protection Workflow

Use the following diagram to help you understand the workflow to implement Endpoint Protection in your
Endpoint Protection Client for Mac Computers and Linux Servers
System Center Endpoint Protection includes an Endpoint Protection client for Linux and for Mac computers. These
clients are not supplied with Configuration Manager; instead, you must download the following products from the
Microsoft Volume Licensing Service Center.
System Center Endpoint Protection for the Mac
System Center Endpoint Protection for Linux
IMPORTANT
You must be a Microsoft Volume License customer to download the Endpoint Protection installation files for Linux and the
Mac.
These products cannot be managed from the Configuration Manager console. However, a System Center
Operations Manager management pack is supplied with the installation files, which allows you to manage the
client for Linux by using Operations Manager.
How to get the Endpoint Protection client for Mac computers and Linux servers
Use the following steps to download the image file containing the Endpoint Protection client software and
documentation for Mac computers and Linux servers.
1. Sign in to the Microsoft Volume Licensing Service Center.
2. Select the Downloads and Keys tab at the top of the website.
3. Filter on product System Center Endpoint Protection (current branch).
4. Click link to Download
5. Click Continue. You should see several files, including one named: System Center Endpoint Protection
(current branch - version 1606) for Linux OS and Macintosh OS Multilanguage 32/64 bit 1878 MB
ISO.
6. To download the file, click the arrow icon. The file name is
SW_DVD5_Sys_Ctr_Endpnt_Prtctn_1606_MultiLang_-3_EptProt_Lin_Mac_MLF_X21-67050.ISO.
The January 2018 update (X21-67050) includes the following versions:
System Center Endpoint Protection for Mac 4.5.32.0 (support for macOS 10.13 High Sierra)
System Center Endpoint Protection for Linux 4.5.20.0
For more information about how to install and manage the Endpoint Protection clients for Linux and Mac
computers, use the documentation that accompanies these products. This product documentation is in the
Documentation folder of the .ISO file.
Configure Endpoint Protection

Before you can use Endpoint Protection to manage security and malware on Configuration Manager client
computers, you must perform the configuration steps detailed in this article.
How to Configure Endpoint Protection in Configuration Manager

Endpoint Protection in Configuration Manager has external dependencies and dependencies in the product.
Steps to Configure Endpoint Protection in Configuration Manager
Use the following table for the steps, details, and more information about how to configure Endpoint Protection.
IMPORTANT
If you manage endpoint protection for Windows 10 computers, then you must configure Configuration Manager to update
and distribute malware definitions for Windows Defender. Windows Defender is included in Windows 10 but SCEPInstall must
still be installed and custom client settings for Endpoint Protection (Step 5 below) are still required.
Starting in Configuration Manager 1802, Windows 10 devices do not need to have the Endpoint Protection agent
(SCEPInstall) installed. If it is already installed on Windows 10 devices, Configuration Manager will not remove it.
Administrators can remove the Endpoint Protection agent on Windows 10 devices that are running at least the 1802 client
version. SCEPInstall.exe may still be present in C:\Windows\ccmsetup on some machines but should not be downloaded on
new client installations. Custom client settings for Endpoint Protection (Step 5 below) are still required.
STEPS DETAILS
Step 1: Create an Endpoint Protection point site system role The Endpoint Protection point site system role must be
installed before you can use Endpoint Protection. It must be
installed on one site system server only, and it must be
installed at the top of the hierarchy on a central administration
site or a stand-alone primary site.
Step 2: Configure alerts for Endpoint Protection Alerts inform the administrator when specific events have
occurred, such as a malware infection. Alerts are displayed in
the Alerts node of the Monitoring workspace, or optionally
can be emailed to specified users.
Step 3: Configure definition update sources for Endpoint Endpoint Protection can be configured to use various sources
Protection clients to download definition updates.
Step 4: Configure the default antimalware policy and create The default antimalware policy is applied when the Endpoint
custom antimalware policies Protection client is installed. Any custom policies you have
deployed are applied by default, within 60 minutes of
deploying the client. Ensure that you have configured
antimalware policies before you deploy the Endpoint
Protection client.
STEPS DETAILS
Step 5: Configure custom client settings for Endpoint Use custom client settings to configure Endpoint Protection
Protection settings for collections of computers in your hierarchy.
Note: Do not configure the default Endpoint Protection client

settings unless you are sure that you want these settings
applied to all computers in your hierarchy.
Create an Endpoint Protection point site system role

The Endpoint Protection point site system role must be installed before you can use Endpoint Protection. It must
be installed on one site system server only, and it must be installed at the top of the hierarchy on a central
administration site or a stand-alone primary site.
Use one of the following procedures depending on whether you want to install a new site system server for
Endpoint Protection or use an existing site system server:
Install on a new site system server
Install on an existing site system server
IMPORTANT
When you install an Endpoint Protection point, an Endpoint Protection client is installed on the server hosting the Endpoint
Protection point. Services and scans are disabled on this client to enable it to co-exist with any existing antimalware solution
that is installed on the server. If you later enable this server for management by Endpoint Protection and select the option to
remove any third-party antimalware solution, the third-party product will not be removed. You must uninstall this product
manually.
New site system server

2. In the Administration workspace, expand Site Configuration, and then click Servers and Site System
Roles.
3. On the Home tab, in the Create group, click Create Site System Server.
5. On the System Role Selection page, select Endpoint Protection point in the list of available roles, and
then click Next.
6. On the Endpoint Protection page, select the I accept the Endpoint Protection license terms check
box, and then click Next.
IMPORTANT
You cannot use Endpoint Protection in Configuration Manager unless you accept the license terms.
7. On the Cloud Protection Service page, select the level of information that you want to send to Microsoft
to help develop new definitions, and then click Next.
NOTE
This option configures the Cloud Protection Service (formerly known as Microsoft Active Protection Service or MAPS)
settings that are used by default. You can then configure custom settings for each antimalware policy you create. Join
Cloud Protection Service, to help to keep your computers more secure by supplying Microsoft with malware samples
that can help Microsoft to keep antimalware definitions more up-to-date. Additionally, when you join Cloud
Protection Service, the Endpoint Protection client can use the dynamic signature service to download new definitions
before they are published to Windows Update. For more information, see How to create and deploy antimalware
policies for Endpoint Protection in System Center Configuration Manager.
8. Complete the wizard.
Existing site system server

2. In the Administration workspace, expand Site Configuration, click Servers and Site System Roles, and
then select the server that you want to use for Endpoint Protection.
3. On the Home tab, in the Server group, click Add Site System Roles.
5. On the System Role Selection page, select Endpoint Protection point in the list of available roles, and
then click Next.
6. On the Endpoint Protection page, select the I accept the Endpoint Protection license terms check
box, and then click Next.
IMPORTANT
You cannot use Endpoint Protection in Configuration Manager unless you accept the license terms.
7. On the Cloud Protection Service page, select the level of information that you want to send to Microsoft
to help develop new definitions, and then click Next.
NOTE
This option configures the Cloud Protection Service settings (formerly known as MAPS) that are used by default. You
can configure custom settings for each antimalware policy you configure. For more information, see How to create
and deploy antimalware policies for Endpoint Protection in System Center Configuration Manager.
8. Complete the wizard.

Configure Alerts for Endpoint Protection in

You can configure Endpoint Protection alerts in Microsoft System Center Configuration Manager to notify
administrative users when specific events, such as a malware infection, occur in your hierarchy. Notifications
display in the Endpoint Protection dashboard in the Configuration Manager console in the Alerts node of the
Monitoring workspace, or can be emailed to specified users.
Use the following steps and the supplemental procedures in this topic to configure alerts for Endpoint Protection
in Configuration Manager.
IMPORTANT
You must have the Enforce Security permission for collections to configure Endpoint Protection alerts.
Steps to Configure Alerts for Endpoint Protection in Configuration

Manager
1. In the Configuration Manager console, click Assets and Compliance.
2. In the Assets and Compliance workspace, click Device Collections.
3. In the Device Collections list, select the collection for which you want to configure alerts, and then on the
Home tab, in the Properties group, click Properties.
NOTE
You cannot configure alerts for user collections.
4. On the Alerts tab of the <Collection Name>Properties dialog box, select View this collection in the
Endpoint Protection dashboard if you want to view details about antimalware operations for this
collection in the Monitoring workspace of the Configuration Manager console.
NOTE
This option is unavailable for the All Systems collection.
5. On the Alerts tab of the <Collection Name>Properties dialog box, click Add.
6. In the Add New Collection Alerts dialog box, in the Generate an alert when these conditions apply
section, select the alerts that you want Configuration Manager to generate when the specified Endpoint
Protection events occur, and then click OK.
7. In the Conditions list of the Alerts tab, select each Endpoint Protection alert, and then specify the
following information:
Alert Name - Accept the default name or enter a new name for the alert.
Alert Severity - In the list, select the alert level to display in the Configuration Manager console.
8. Depending on the alert that you select, specify the following additional information:
Malware detection - This alert is generated if malware is detected on any computer in the
collection that you monitor. The Malware detection threshold specifies the malware detection
levels at which this alert is generated:
High - All detections - The alert is generated when there are one or more computers in the
specified collection on which any malware is detected, regardless of what action the Endpoint
Protection client takes.
Medium - Detected, pending action - The alert is generated when there is one or more
computers in the specified collection on which malware is detected, and you must manually
remove the malware.
Low - Detected, still active - The alert is generated when there are one or more computers
in the specified collection on which malware is detected and is still active.
Malware outbreak - This alert is generated if specified malware is detected on a specified
percentage of computers in the collection that you monitor.
Percentage of computers with malware detected - The alert is generated when the
percentage of computers with malware that is detected in the collection exceeds the
percentage that you specify. Specify a percentage from 1 through 99.
NOTE
The percentage value is based on the number of computers in the collection, but excludes computers
that do not have a Configuration Manager client installed. It includes computers that do not yet have
the Endpoint Protection client installed.
Repeated malware detection - This alert is generated if specific malware is detected more than a
specified number of times over a specified number of hours on the computers in the collection that
you monitor. Specify the following information to configure this alert:
Number of times malware has been detected: - The alert is generated when the same
malware is detected on computers in the collection more than the specified number of times.
Specify a number from 2 through 32.
Interval for detection (hours): Specify the detection interval (in hours) in which the
number of malware detections must occur. Specify a number from 1 through 168.
Multiple malware detection - This alert is generated if more than a specified number of malware
types are detected over a specified number of hours on computers in the collection that you monitor.
Specify the following information to configure this alert:
Number of malware types detected: The alert is generated when the specified number of
different malware types are detected on computers in the collection. Specify a number from 2
through 32.
Interval for detection (hours): Specify the detection interval, in hours, in which the number
of malware detections must occur. Specify a number from 1 through 168.
9. Click OK to close the <Collection Name>Properties dialog box.
Alert for outdated malware client

Beginning with Configuration Manager version 1702, you can configure an alert to ensure Endpoint Protection
clients are not outdated. You can now view Antimalware Client Version and Endpoint Protection
Deployment Status by going Assets and Compliance > Overview > Devices > All Desktops and Serve
Clients. To check for an alert, view Alerts in the Monitoring workspace. If more than 20% of managed clients are
running an expired version of antimalware software, the Antimalware client version is outdated alert is displayed.
This alert doesn’t appear on the Monitoring > Overview tab. To update expired antimalware clients, enable
software updates for antimalware clients.
To configure the percentage at which the alert is generated, expand Monitoring > Alerts > All Alerts, double-
click Antimalware clients out of date and modify the Raise alert if percentage of managed clients with an
outdated version of the antimalware client is more than option.
N E X T STE P
>
BACK
>
Configure Definition Updates for Endpoint Protection

With Endpoint Protection in System Center Configuration Manager, you can use any of several available methods
to keep antimalware definitions up to date on client computers in your hierarchy. The information in this topic can
help you to select and configure these methods.
To update antimalware definitions, you can use one or more of the following methods:
Updates distributed from Configuration Manager - This method uses Configuration Manager software
updates to deliver definition and engine updates to computers in your hierarchy.
Updates distributed from Windows Server Update Services (WSUS ) - This method uses your WSUS
infrastructure to deliver definition and engine updates to computers.
Updates distributed from Microsoft Update - This method allows computers to connect directly to Microsoft
Update in order to download definition and engine updates. This method can be useful for computers that
are not often connected to the business network.
Updates distributed from Microsoft Malware Protection Center - This method will download definition
updates from the Microsoft Malware Protection Center.
Updates from UNC file shares - With this method, you can save the latest definition and engine updates to a
share on the network. Clients can then access the network to install the updates.
You can configure multiple definition update sources and control the order in which they are assessed and
applied. This is done in the Configure Definition Update Sources dialog box when you create an
antimalware policy.
IMPORTANT
For Windows 10 PCs, you must configure Endpoint Protection to update malware definitions for Windows Defender.
How to Configure Definition Update Sources

Use the following procedure to configure the definition update sources to use for each antimalware policy.
2. In the Assets and Compliance workspace, expand Endpoint Protection, and then click Antimalware
Policies.
3. Open the properties page of the Default Antimalware Policy or create a new antimalware policy. For
more information about how to create antimalware policies, see How to create and deploy antimalware
4. In the Definition updates section of the antimalware properties dialog box, click Set Source.
5. In the Configure Definition Update Sources dialog box, select the sources to use for definition updates.
You can click Up or Down to modify the order in which these sources are used.
6. Click OK to close the Configure Definition Update Sources dialog box.
Configure Endpoint Protection definitions
Updates distributed from Configuration Manager - This method uses Configuration Manager software
updates to deliver definition and engine updates to computers in your hierarchy.
Updates distributed from Windows Server Update Services (WSUS ) - This method uses your WSUS
infrastructure to deliver definition and engine updates to computers.
Updates distributed from Microsoft Update - This method allows computers to connect directly to Microsoft
Update in order to download definition and engine updates. This method can be useful for computers that
are not often connected to the business network.
Updates distributed from Microsoft Malware Protection Center - This method will download definition
updates from the Microsoft Malware Protection Center.
Updates from UNC file shares - With this method, you can save the latest definition and engine updates to a
share on the network. Clients can then access the network to install the updates.
Using Configuration Manager Software Updates to
Deliver Definition Updates

You can configure Configuration Manager software updates to deliver definition updates to client computers. This
is done by configuring automatic deployment rules. Before you begin to create automatic deployment rules, make
sure that you have configured Configuration Manager software updates. For more information, see Introduction to
software updates in System Center Configuration Manager.
NOTE
This procedure is only for the items that must be specifically configured for Endpoint Protection. For more information about
the Create Automatic Deployment Rule Wizard, see Automatically deploy software updates.
To configure an automatic deployment rule to deliver definition

updates
1. In the Configuration Manager console, click Software Library.
2. In the Software Library workspace, expand Software Updates, and then click Automatic Deployment
Rules.
3. On the Home tab, in the Create group, click Create Automatic Deployment Rule.
4. On the General page of the Create Automatic Deployment Rule Wizard, specify the following
information:
Name: Enter a unique name for the automatic deployment rule.
Collection: Select the collection of client computers to which you want to deploy definition updates.
NOTE
You cannot deploy definition updates to a collection of users.
5. Click Add to an existing Software Update Group.

6. Make sure that the Enable the deployment after this rule is run check box is selected, and then click
Next.
7. On the Deployment Settings page of the wizard, in the Detail level list, select Minimal, and then click
Next.
NOTE
From the Detail level list, select Minimal (Configuration Manager with no Service Pack) or Only error messages
(Configuration Manager). This will reduce the number of state messages returned by definition deployment. This
configuration helps reduce the CPU processing usage on the Configuration Manager servers.
8. In the Property filters list, select the Update Classification check box.
9. In the Search criteria list, click <items to find>. Then, in the Search Criteria dialog box, in the Specify
the value to search for list, select Definition Updates.
10. Click OK to close the Search Criteria dialog box.
11. In the Property filters list, select the Product check box.
12. In the Search criteria list, click <items to find>. Then, in the Search Criteria dialog box, in the Specify
the value to search for list, select Forefront Endpoint Protection 2010 for Windows 8.1 and earlier or
Windows Defender for Windows 10 and later.
13. Click OK to close the Search Criteria dialog box, and then click Next.
14. Optionally, you can filter out superseded updates. To do so:
a. In the Property filters list, select the Superseded check box.
b. In the Search criteria list, click <items to find>. Then, in the Search Criteria dialog box, in the
Specify the value to search for list, select No.
15. Click OK to close the Search Criteria dialog box, and then click Next.
16. On the Evaluation Schedule page of the wizard, select Enable rule to run on a schedule, and then
configure the schedule by which to download definition updates. At a minimum, set the rule to run two
hours after each software update point synchronization. Click Next.
17. On the Deployment Schedule page of the wizard, configure the following settings:
Time based on: Select UTC if you want all clients in the hierarchy to install the latest definitions at
the same time. The actual installation time will vary within a two-hour window. This setting is a
recommended best practice.
Software available time: Specify the available time for the deployment that is created by this rule.
The specified time must be at least one hour after the automatic deployment rule runs. This helps to
ensure that the content has sufficient time to replicate to the distribution points in your hierarchy.
Some definition updates might also include antimalware engine updates, which might take longer to
reach distribution points.
Installation deadline: Select As soon as possible.
NOTE
Software update deadlines are varied over a two-hour period to prevent all clients from requesting an update
at the same time.
18. Click Next.

19. On the User Experience page of the wizard, in the User notifications list, select Hide in Software
Center and all notifications. This ensures that the definition updates install silently. Click Next.
20. On the Alerts page of the wizard, you do not have to configure any alerts. Endpoint Protection in
Configuration Manager generates any alerts that might be required. Click Next.
21. On the Download Settings page of the wizard, select the necessary software updates download behavior,
22. On the Deployment Package page of the wizard, select an existing deployment package or create a new
deployment package to contain the software update files associated with the rule.
NOTE
Consider placing definition updates in a package that does not contain other software updates. This strategy keeps
the size of the definition update package smaller, which allows it to replicate to distribution points more quickly.
23. On the Distribution Points page of the wizard, select one or more distribution points to which the content
for this package will be copied, and then click Next.
24. On the Download Location page of the wizard, select Download software updates from the Internet,
25. On the Language Selection page of the wizard, select each language version of the updates to be
downloaded, and then click Next.
26. Complete the Create Automatic Deployment Rule Wizard.
27. Verify that the new rule is displayed in the Automatic Deployment Rules node of the Configuration
Manager console.
N E X T STE P
>
BACK
>
Enable Endpoint Protection malware definitions to
download from Windows Server Update Services
(WSUS) for Configuration Manager

If you use WSUS to keep your antimalware definitions up to date, you can configure it to auto-approve definition
updates. Although using Configuration Manager software updates is the recommended method to keep
definitions up to date, you can also configure WSUS as a method to allow users to manually initiate definition
updated. Use the following procedures to configure WSUS as a definition update source.
To synchronize Endpoint Protection definition updates in Configuration

Manager software updates
2. In the Administration workspace, expand Site Configuration, and then click Sites.
3. Select the site that contains your software update point. In the Settings group, click Configure Site
Components, and then click Software Update Point.
4. On the Classifications tab of the Software Update Point Component Properties dialog box, select the
Definition Updates check box.
5. Specify the Products updated with WSUS:
For Windows 8.1 and earlier, on the Products tab of the Software Update Point Component
Properties dialog box, select the Forefront Endpoint Protection 2010 check box.
For Windows 10 and later, on the Products tab of the Software Update Point Component
Properties dialog box, select the Windows Defender and Windows Technical Preview 2 check
boxes.
6. Click OK to close the Software Update Point Component Properties dialog box.
Use the following procedure to configure Endpoint Protection updates when your WSUS server is not
integrated into your Configuration Manager environment.
To synchronize Endpoint Protection definition updates in standalone

WSUS
1. In the WSUS administration console, expand Computers, click Options, and then click Products and
Classifications.
2. Specify the Products updated with WSUS:
For Windows 8.1 and earlier, on the Products tab of the Software Update Point Component
Properties dialog box, select the Forefront Endpoint Protection 2010 check box.
For Windows 10 and later, on the Products tab of the Software Update Point Component
Properties dialog box, select the Windows Defender and Windows Technical Preview 2 check
boxes.
3. On the Classifications tab of the Products and Classifications dialog box, select the Definition
Updates and Updates check boxes.
Approving Definition Updates

Endpoint Protection definition updates must be approved and downloaded to the WSUS server before they are
offered to clients that request the list of available updates. Clients connect to the WSUS server to check for
applicable updates and then request the latest approved definition updates.
To approve definitions and updates in WSUS
1. In the WSUS administration console, click Updates, and then click All Updates or the classification of
updates that you want to approve.
2. In the list of updates, right-click the update or updates you want to approve for installation, and then click
Approve.
3. In the Approve Updates dialog box, select the computer group for which you want to approve the updates,
and then click Approved for Install.
In addition to manual approval, you can also set an automatic approval rule for definition updates and
Endpoint Protection updates. This will configure WSUS to automatically approve Endpoint Protection
definition updates downloaded by WSUS.
To configure an automatic approval rule
1. In the WSUS administration console, click Options, and then click Automatic Approvals.
2. On the Update Rules tab, click New Rule.
3. In the Add Rule dialog box, under Step 1: Select properties, select the When an update is in a specific
classification check box.
4. Under Step 2: Edit the properties, click any classification.
5. Clear all check boxes except Definition Updates, and then click OK.
6. In the Add Rule dialog box, under Step 1: Select properties, select the When an update is in a specific
product check box.
7. Under Step 2: Edit the properties, click any product.
8. Clear all check boxes except Forefront Endpoint Protection for Windows 8.1 and earlier or Windows
Defender for Windows 10 and later, and then click OK.
9. Under Step 3: Specify a name, enter a name for the rule, and then click OK.
10. In the Automatic Approvals dialog box, select the check box for the newly created rule and then click Run
rule.
NOTE
To maximize performance on your WSUS server and client computers, decline old definition updates. To accomplish this task,
you can configure automatic approval for revisions and automatic declining of expired updates. For more information, see
Microsoft Knowledge Base article 938947.
N E X T STE P
>
BACK
>
download from Microsoft Updates for Configuration
Manager

When you select to download definition updates from Microsoft Update, clients will check the Microsoft Update
site at the interval defined in the Definition updates section of the antimalware policy dialog box.
This method can be useful when the client does not have connectivity to the Configuration Manager site or when
you want users to be able to initiate definition updates.
IMPORTANT
Clients must have access to Microsoft Update on the Internet to be able to use this method to download definition updates.
Using the Microsoft Malware Protection Center to Download

Definitions
You can configure clients to download definition updates from the Microsoft Malware Protection Center. This
option is used by Endpoint Protection clients to download definition updates if they have not been able to
download updates from another source. This update method can be useful if there is a problem with your
Configuration Manager infrastructure that prevents the delivery of updates.
IMPORTANT
Clients must have access to Microsoft Update on the Internet to be able use this method to download definition updates.
N E X T STE P
>
BACK
>
Using the Microsoft Malware Protection Center to
Download Definitions

You can configure clients to download definition updates from the Microsoft Malware Protection Center. This
option is used by Endpoint Protection clients to download definition updates if they have not been able to
download updates from another source. This update method can be useful if there is a problem with your
Configuration Manager infrastructure that prevents the delivery of updates.
IMPORTANT
Clients must have access to Microsoft Update on the Internet to be able use this method to download definition updates.
N E X T STE P
>
BACK
>
download from a network share for Configuration
Manager

You can manually download the latest definition updates from Microsoft and then configure clients to download
these definitions from a shared folder on the network. Users can also initiate definition updates when you use this
update source.
NOTE
Clients must have read access to the shared folder to be able to download definition updates.
For more information about how to download the definition and engine updates to store on the file share, see
Install the latest Microsoft antimalware and antispyware software.
To configure definition downloads from a file share

Policies.
3. Open the properties page of the Default Antimalware Policy or create a new antimalware policy. For
more information about how to create antimalware policies, see How to create and deploy antimalware
4. In the Definition updates section of the antimalware properties dialog box, click Set Source.
5. In the Configure Definition Update Sources dialog box, select Updates from UNC file shares.
6. Click OK to close the Configure Definition Update Sources dialog box.
7. Click Set Paths. Then, in the Configure Definition Update UNC Paths dialog box, add one or more
UNC paths to the location of the definition updates files on a network share.
8. Click OK to close the Configure Definition Update UNC Paths dialog box.
N E X T STE P
>
BACK
>
How to create and deploy antimalware policies for
Endpoint Protection in System Center

You can deploy antimalware policies to collections of System Center Configuration Manager client computers
to specify how Endpoint Protection protects them from malware and other threats. These antimalware policies
include information about the scan schedule, the types of files and folders to scan, and the actions to take when
malware is detected. When you enable Endpoint Protection, a default antimalware policy is applied to client
computers. You can also use additional policy templates that are supplied or create your own custom
antimalware policies to meet the specific needs of your environment.
Configuration Manager supplies a selection of predefined templates that are optimized for various scenarios
and can be imported into Configuration Manager. These templates are available in the folder <ConfigMgr
Install Folder>\AdminConsole\XMLStorage\EPTemplates.
IMPORTANT
If you create a new antimalware policy and deploy it to a collection, this antimalware policy overrides the default
antimalware policy.
Use the procedures in this topic to create or import antimalware policies and assign them to System Center
Configuration Manager client computers in your hierarchy.
NOTE
Before you perform these procedures, ensure that Configuration Manager is configured for Endpoint Protection as
described in Configuring Endpoint Protection in System Center Configuration Manager.
Modify the default antimalware policy

Policies.
3. Select the antimalware policy Default Client Antimalware Policy and then, on the Home tab, in the
Properties group, click Properties.
4. In the Default Antimalware Policy dialog box, configure the settings that you require for this
antimalware policy, and then click OK.
NOTE
For a list of settings that you can configure, see in this topic.
List of Antimalware Policy Settings
Create a new antimalware policy
Policies.
3. On the Home tab, in the Create group, click Create Antimalware Policy.
4. In the General section of the Create Antimalware Policy dialog box, enter a name and a description
for the policy.
5. In the Create Antimalware Policy dialog box, configure the settings that you require for this
antimalware policy, and then click OK. For a list of settings that you can configure, see List of
Antimalware Policy Settings.
6. Verify that the new antimalware policy is displayed in the Antimalware Policies list.
Import an antimalware policy

Policies.
3. In the Home tab, in the Create group, click Import.
4. In the Open dialog box, browse to the policy file to import, and then click Open.
5. In the Create Antimalware Policy dialog box, review the settings to use, and then click OK.
6. Verify that the new antimalware policy is displayed in the Antimalware Policies list.
Deploy an antimalware policy to client computers

Policies.
3. In the Antimalware Policies list, select the antimalware policy to deploy. Then, on the Home tab, in the
Deployment group, click Deploy.
NOTE
The Deploy option cannot be used with the default client malware policy.
4. In the Select Collection dialog box, select the device collection to which you want to deploy the
antimalware policy, and then click OK.
List of Antimalware Policy Settings

Many of the antimalware settings are self-explanatory. Use the following sections for more information about
the settings that might require more information before you configure them.
Scheduled Scans Settings
Scan Settings
Default Actions Settings
Real-time Protection Settings
Exclusion Settings
Advanced Settings
Threat Overrides Settings
Cloud Protection Service
Definition Updates Settings
Scheduled Scans Settings
Scan type - You can specify one of two scan types to run on client computers:
Quick scan - This type of scan checks the in-memory processes and folders where malware is typically
found. It requires fewer resources than a full scan.
Full Scan - This type of scan adds a full check of all local files and folders to the items scanned in the
quick scan. This scan takes longer than a quick scan and uses more CPU processing and memory
resources on client computers.
In most cases, use Quick scan to minimize the use of system resources on client computers. If malware
removal requires a full scan, Endpoint Protection generates an alert that is displayed in the
Configuration Manager console. The default value is Quick scan.
Scan Settings
Scan email and email attachments - Set to Yes to turn on e-mail scanning.
Scan removable storage devices such as USB drives - Set to Yes to scan removable drives during full
scans.
Scan network files - Set to Yes to scan network files.
Scan mapped network drives when running a full scan - Set to Yes to scan any mapped network drives on
client computers. Enabling this setting might significantly increase the scan time on client computers.
The Scan network files setting must be set to Yes for this setting to be available to configure.
By default, this setting is set to No, meaning that a full scan will not access mapped network drives.
Scan archived files - Set to Yes to scan archived files such as .zip or .rar files.
Allow users to configure CPU usage during scans - Set to Yes to allow users to specify maximum
percentage of CPU utilization during a scan. Scans will not always use the maximum load defined by users, but
they cannot exceed it.
User control of scheduled scans - Specify level of user control. Allow users to set Scan time only or Full
control of antivirus scans on their devices.
Default Actions Settings
Select the action to take when malware is detected on client computers. The following actions can be applied,
depending on the alert threat level of the detected malware.
Recommended - Use the action recommended in the malware definition file.
Quarantine - Quarantine the malware but do not remove it.
Remove - Remove the malware from the computer.
Allow - Do not remove or quarantine the malware.
Real-time Protection Settings
SETTING NAME DESCRIPTION
Enable real-time protection Set to Yes to configure real-time protection settings for
client computers. We recommend that you enable this
setting.
Monitor file and program activity on your computer Set to Yes if you want Endpoint Protection to monitor when
files and programs start to run on client computers and to
alert you about any actions that they perform or actions
taken on them.
Scan system files This setting lets you configure whether incoming, outgoing,
or incoming and outgoing system files are monitored for
malware. For performance reasons, you might have to
change the default value of Scan incoming and outgoing
files if a server has high incoming or outgoing file activity.
Enable behavior monitoring Enable this setting to use computer activity and file data to
detect unknown threats. When this setting is enabled, it
might increase the time required to scan computers for
malware.
Enable protection against network-based exploits Enable this setting to protect computers against known
network exploits by inspecting network traffic and blocking
any suspicious activity.
Enable script scanning For Configuration Manager with no service pack only.
Enable this setting if you want to scan any scripts that run
on computers for suspicious activity.
Block Potentially Unwanted Applications at download Potential Unwanted Applications (PUA) is a threat
and prior to installation classification based on reputation and research-driven
identification. Most commonly, these are unwanted
application bundlers or their bundled applications.
Beginning in version 1602 of Configuration Manager, this

protection policy setting is available and set to Yes by
default. When enabled, this setting blocks PUA at download
and install time. However, you can exclude specific files or
folders to meet the specific needs of your business or
organization.
Exclusion Settings
Excluded files and folders:
Click Set to open the Configure File and Folder Exclusions dialog box and specify the names of the files and
folders to exclude from Endpoint Protection scans.
If you want to exclude files and folders that are located on a mapped network drive, specify the name of each
folder in the network drive individually. For example, if a network drive is mapped as F:\MyFolder and it
contains subfolders named Folder1, Folder2 and Folder 3, specify the following exclusions:
F:\MyFolder\Folder1
F:\MyFolder\Folder2
F:\MyFolder\Folder3
Beginning in version 1602 of Configuration Manager, the existing Exclude files and folders setting in
the Exclusion settings section of Endpoint Protection antimalware policy is improved to allow device
exclusions. For example, you can now specify the following as an exclusion: \device\mvfs (for
Multiversion File System). The policy does not validate the device path; the Endpoint Protection policy is
provided to the antimalware engine on the client which must be able to interpret the device string.
Advanced Settings
Enable reparse point scanning - Set to Yes if you want Endpoint Protection to scan NTFS reparse points.
For more information about reparse points, see Reparse Points in the Windows Dev Center.
Randomize the scheduled scan start times (within 30 minutes) - Set to Yes to help avoid flooding the
network, which can occur if all computers send their antimalware scans results to the Configuration Manager
database at the same time. This setting is also useful when you run multiple virtual machines on a single host.
Select this option to reduce the amount of simultaneous disk access for antimalware scanning.
Beginning in version 1602 of Configuration Manager, the antimalware engine may request file samples to be
sent to Microsoft for further analysis. By default, it will always prompt before it sends such samples.
Administrators can now manage the following settings to configure this behavior:
Enable auto sample file submission to help Microsoft determine whether certain detected items are
Malicious - Set to Yes to enable auto sample file submission. By default, this setting is No which means auto
sample file submission is disabled and users will be prompted before sending samples.
Allow users to modify auto sample file submission settings - This setting determines whether a user with
local administrative rights on a device can change the auto sample file submission setting in the client interface.
By default, this setting is "No" which means the settings can only be changed from within the Configuration
Manager console, and local administrators on a device cannot change this configuration.
For example, the following shows the Windows Defender setting in Windows 10 set by the administrator as
enabled, and the user is not allowed to modify it
Threat Overrides Settings

Threat name and override action - Click Set to customize the remediation action to take for each threat ID
when it is detected during a scan.
NOTE
The list of threat names might not be available immediately after the configuration of Endpoint Protection. Wait until the
Endpoint Protection point has synchronized the threat information, and then try again.
Cloud Protection Service

Cloud Protection Service enables the collection of information about detected malware on managed virtual
machines and the actions taken. This information is sent to Microsoft.
Cloud Protection Service membership
Do not join Cloud Protection Service - No information is sent
Basic - Collect and send lists of detected malware
Advanced - Basic information as well as more comprehensive information that might occasionally contain
personal information from, for example, file paths and partial memory dumps.
Allow users to modify Cloud Protection Service settings - Toggles user control of Cloud Protection
Service settings.
Level for blocking suspicious files - Specify the level at which the Endpoint Protection Cloud Protection
Service will block suspicious files.
Normal - The default Windows Defender blocking level
High - Aggressively blocks unknown files while optimizing for performance (greater chance of blocking
non-harmful files)
High with extra protection - Aggressively blocks unknown files and applies additional protection
measures (might impact client device performance)
Block unknown programs - Blocks all unknown programs
Allow extended cloud check to block and scan for up to (seconds) - Specifies the number of seconds
Cloud Protection Service can block a file while the service checks that the file is not known to be malicious.
Details of Cloud Protection Service reporting
FREQUENCY DATA COLLECTED OR SENT USE OF DATA
When Windows Defender updates - Version of virus and spyware Microsoft uses this information to
virus and spyware protection or definitions ensure the latest virus and spyware
definition files - Virus and spyware protection version updates are present on computers. If
not present, Windows Defender
updates automatically so computer
protection stays up-to-date.
If Windows Defender finds potentially - Name of potentially harmful or Windows Defender uses this
harmful or unwanted software on unwanted software information to determine the type and
computers - How the software was found severity of potentially unwanted
- Any actions that Windows Defender software, and the best action to take.
took to deal with the software Microsoft also uses this information to
- Files affected by the software help improve the accuracy of virus and
- Information about the computer spyware protection.
from the manufacturer (Sysconfig,
SysModel, SysMarker)
Once a month - Virus and spyware definition update Windows Defender uses this
status information to verify that computers
- Status of real-time virus and spyware have the latest virus and spyware
monitoring (on or off ) protection version, and the most
recent virus and spyware definitions.
Microsoft also wants to make sure
that real-time virus and spyware
monitoring is turned on, which is a
critical part of helping protect
computers from potentially harmful or
unwanted software.
During installation, or whenever users List of running processes in your To identify any processes that might
manually perform virus and spyware computer's memory have been compromised by potentially
scan of your computer harmful software.
Microsoft collects only the names of affected files, not the contents of the files themselves. This information
helps determine what systems are especially vulnerable to specific threats.
Definition Updates Settings
Set sources and order for Endpoint Protection client updates - Click Set Source to specify the sources
for definition and scanning engine updates, and to also specify the order in which they are used. If
Configuration Manager is specified as one of the sources, then the other sources are used only if software
updates fail to download the client updates.
If you use any of the following methods to update the definitions on client computers, then the client computers
must be able to access the Internet.
Updates distributed from Microsoft Update
Updates distributed from Microsoft Malware Protection Center
IMPORTANT
Clients download definition updates by using the built-in system account. You must configure a proxy server for this
account to enable these clients to connect to the Internet.
If you have configured a software updates automatic deployment rule to deliver definition updates to client computers,
these updates will be delivered regardless of the definition updates settings.
N E X T STE P
>
BACK
>
Configure Custom Client Settings for Endpoint
Protection

This procedure configures custom client settings for Endpoint Protection, which can be deployed to collections of
computers in your hierarchy.
IMPORTANT
Only configure the default Endpoint Protection client settings if you're sure that you want them applied to all computers in
your hierarchy.
To enable Endpoint Protection and configure custom client settings

2. In the Administration workspace, click Client Settings.
3. On the Home tab, in the Create group, click Create Custom Client Device Settings.
4. In the Create Custom Client Device Settings dialog box, provide a name and a description for the group
of settings, and then select Endpoint Protection.
5. Configure the Endpoint Protection client settings that you require. For a full list of Endpoint Protection
client settings that you can configure, see the Endpoint Protection section in About client settings in System
Center Configuration Manager.
IMPORTANT
You must install the Endpoint Protection site system role before you can configure client settings for Endpoint
Protection.
6. Click OK to close the Create Custom Client Device Settings dialog box. The new client settings are
displayed in the Client Settings node of the Administration workspace.
7. Before the custom client settings can be used, you must deploy them to a collection. Select the custom client
settings you want to deploy and then, in the Home tab, in the Client Settings group, click Deploy.
8. In the Select Collection dialog box, choose the collection to which you want to deploy the client settings
and then click OK. The new deployment is shown in the Deployments tab of the details pane.
Client computers will be configured with these settings when they next download client policy. To initiate policy
retrieval for a single client, see the Initiate Policy Retrieval for a Configuration Manager Client section in How to
manage clients in System Center Configuration Manager.
How to Provision the Endpoint Protection Client in a Disk Image in

You can install the Endpoint Protection client on a computer that you intend to use as a disk image source for
Configuration Manager operating system deployment. This computer is typically called the reference computer.
After you create the image of the operating system, you can then use Configuration Manager operating system
deployment to deploy the image that can contain software packages, including Endpoint Protection, to your client
computers.
Use the procedures in this article to help you install and configure the Endpoint Protection client on a reference
computer
Prerequisites for Installing the Endpoint Protection Client on the Reference Computer
The following list contains the required prerequisites for installing the Endpoint Protection client software on a
reference computer.
You must have access to the Endpoint Protection client installation package, scepinstall.exe. This package
can be found in the Client folder of the Microsoft System Center Configuration Manager installation folder
on the site server. Windows 10 and Windows Server 2016 have Windows Defender installed.
To ensure that the Endpoint Protection client is deployed with the configuration that is required in your
organization, create an antimalware policy, and then export that policy. You can then specify the
antimalware policy to use when you manually install the Endpoint Protection client. For more information,
see How to create and deploy antimalware policies for Endpoint Protection in System Center Configuration
Manager.
NOTE
The Default Client Antimalware Policy can't be exported.
If you want to install the Endpoint Protection client with the latest definitions, you must download these
from the Microsoft Malware Protection Center.
NOTE
Starting in Configuration Manager 1802, Windows 10 devices do not need to have the Endpoint Protection agent
(SCEPInstall) installed. If it is already installed on Windows 10 devices, Configuration Manager will not remove it.
Administrators can remove the Endpoint Protection agent on Windows 10 devices that are running at least the 1802 client
version. SCEPInstall.exe may still be present in C:\Windows\ccmsetup on some machines but should not be downloaded on
new client installations.
How to Install the Endpoint Protection Client Software on the Reference Computer
You can install the Endpoint Protection client locally on the reference computer from a command prompt. To do so, you must
first obtain the installation file scepinstall.exe. You can also install the client with a preconfigured antimalware policy or with
an antimalware policy that you previously exported.
To install the Endpoint Protection client from a command prompt

1. Copy scepinstall.exe from the Client folder on the System Center Configuration Manager installation
media to the computer on which you want to install the Endpoint Protection client software.
2. Open a command prompt with administrator privileges, navigate to the folder where scepinstall.exe is
located, and then run the following command, adding any additional command-line properties that you
require:
scepinstall.exe
You can specify one of the following command line properties:

PROPERTY DESCRIPTION
/s Specifies that a silent installation will be performed.
/q Specifies that a silent extraction of the setup files will be

performed.
/i Specifies that a normal installation should be performed.
/noreplace Specifies that third-party antimalware software is not

uninstalled during setup.
/policy Specifies an antimalware policy file to be used to configure

the client during installation.
/sqmoptin Specifies that this client software installation is opted in to

the Microsoft Customer Experience Improvement
Program.
3. Follow the on-screen instructions in order to complete the client installation.

4. If you downloaded the latest update definition package, copy the package to the client computer, and then
double-click the definition package to install it.
NOTE
After the Endpoint Protection client installation is completed, the client automatically performs a definition update
check. If this update check succeeds, you don't have to manually install the latest definition update package.
To install the client software with an antimalware policy from the

command prompt
1. Copy scepinstall.exe and the exported or preconfigured antimalware policy to the computer on which you
want to install the Endpoint Protection client software.
2. Open a command prompt with administrator privileges, navigate to the folder where scepinstall.exe and
the antimalware policy are located, and then run the following command:
scepinstall.exe /policy <full path>\<policy file>
3. Follow the on-screen instructions in order to complete the client installation.

4. If you downloaded the latest definition package, copy the package to the client computer, and then double-
click the definition package to install it.
NOTE
After the Endpoint Protection client installation is completed, the client automatically performs a definition update
check. If this update check succeeds, you don't have to manually install the latest definition update package.
Verify that the Endpoint Protection Client is Installed Correctly

After you install the Endpoint Protection client on your reference computer, verify that the client is working
correctly.
To verify that the Endpoint Protection client is installed correctly
1. On the reference computer, open System Center Endpoint Protection from the Windows notification
area.
2. On the Home tab of the System Center Endpoint Protection dialog box, verify that Real-time
protection is set to On.
3. Verify that Up-to-date is displayed for Virus and spyware definitions.
4. To help make sure that your reference computer is ready for imaging, under Scan options, select Full, and
then click Scan now.
How to Prepare the Endpoint Protection Client for Imaging
After you verify that the Endpoint Protection client is installed correctly on the reference computer, you can
prepare the computer for imaging. Perform the following steps to prepare the Endpoint Protection client for
imaging.
For more information about operating system deployment in Configuration Manager, see Manage operating
system images with System Center Configuration Manager.
To prepare the Endpoint Protection client for imaging
1. On the reference computer, log on as a user that has administrative privileges.
2. Download and install PsTools from the Windows SysInternals Site on TechNet.
3. Open an elevated command prompt, navigate to the folder in which you installed PsTools, and then type the
following command
Psexec.exe -s -i regedit.exe
IMPORTANT
Use caution while you're running the Registry Editor in this manner; the -s option in PsExec.exe runs the Registry
Editor with LocalSystem privileges.
4. In the Registry Editor, navigate to each of the following registry keys and delete them.
IMPORTANT
You must delete the registry keys as the last step before imaging the reference computer. The registry keys are
recreated when the Endpoint Protection client starts. If you restart the reference computer, you must delete the
registry keys again.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware\InstallTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft
Antimalware\Scan\LastScanRun
Antimalware\Scan\LastScanType
Antimalware\Scan\LastQuickScanID
Antimalware\Scan\LastFullScanID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemovalTools\MRT\GUID
After you complete the preceding steps, you can prepare the reference computer for imaging. For more
information about operating system deployment in Configuration Manager, see Manage operating system images
with System Center Configuration Manager.
When an image that contains the Endpoint Protection client software is deployed, the Endpoint Protection client
will automatically report information to the Configuration Manager site to which the computer is assigned, and
policy applicable to the client computer is downloaded and applied.
Create and deploy Windows Firewall policies for
Endpoint Protection in System Center Configuration
Manager

Firewall policies for Endpoint Protection in System Center 2012 Configuration Manager let you perform basic
Windows Firewall configuration and maintenance tasks on client computers in your hierarchy. You can use
Windows Firewall policies to perform the following tasks:
Control whether Windows Firewall is turned on or off.
Control whether incoming connections are allowed to client computers.
Control whether users are notified when Windows Firewall blocks a new program.
2. In the Assets and Compliance workspace, expand Endpoint Protection, and then click Windows
Firewall Policies.
3. On the Home tab, in the Create group, click Create Windows Firewall Policy.
4. On the General page of the Create Windows Firewall Policy Wizard, specify a name and an optional
description for this firewall policy, and then click Next.
5. On the Profile Settings page of the wizard, configure the following settings for each network profile:
IMPORTANT
If you want to deploy Windows Firewall policies to computers running Windows Server 2008 and Windows Vista
Service Pack 1, you must first install Hotfix KB971800 on these computers.
NOTE
For more information about network profiles, see the Windows documentation.
Enable Windows Firewall
NOTE
If Enable Windows Firewall is not enabled, the other settings on this page of the wizard are unavailable.
Block all incoming connections, including those in the list of allowed programs
Notify the user when Windows Firewall blocks a new program
6. On the Summary page of the wizard, review the actions to be taken, and then complete the wizard.
7. Verify that the new Windows Firewall policy is displayed in the Windows Firewall Policies list.
To deploy a Windows Firewall policy
2. In the Assets and Compliance workspace, expand Endpoint Protection, and then click Windows
Firewall Policies.
3. In the Windows Firewall Policies list, select the Windows Firewall policy that you want to deploy.
4. On the Home tab, in the Deployment group, click Deploy.
5. In the Deploy Windows Firewall Policy dialog box, specify the collection to which you want to assign
this Windows Firewall policy, and specify an assignment schedule. The Windows Firewall policy evaluates
for compliance by using this schedule and the Windows Firewall settings on clients to reconfigure to match
the Windows Firewall policy.
6. Click OK to close the Deploy Windows Firewall Policy dialog box and to deploy the Windows Firewall
policy.
IMPORTANT
When you deploy a Windows Firewall policy to a collection, this policy is applied to computers in a random order
over a 2 hour period to avoid flooding the network.

Starting with version 1606 of Configuration Manager (current branch), Endpoint Protection can help manage and
monitor Windows Defender Advanced Threat Protection (ATP ). Windows Defender ATP helps enterprises detect,
investigate, and respond to advanced attacks on their networks. Configuration Manager or Microsoft Intune
policies can help you onboard and monitor managed Windows 10, version 1607 (build 14328) or later.
Windows Defender ATP is a service in the Windows Defender Security Center. By adding and deploying a client
onboarding configuration file, Configuration Manager can monitor deployment status and Windows Defender
ATP agent health. Windows Defender ATP is supported on PCs running the Configuration Manager client or
managed by Microsoft Intune, but Intune hybrid MDM -managed computers are not supported.
Prerequisites
Subscription to the Windows Defender Advanced Threat Protection online service
Clients computers running Windows 10, version 1607 and later
Clients computers running the Configuration Manager 1610 version or later client agent or managed by
Microsoft Intune
How to create an onboarding configuration file

1. Logon to the Windows Defender ATP online service
2. Click on the Endpoint Management menu item.
3. Select System Center Configuration Manager (current branch) version 1606 and click Download
package.
4. Download the compressed archive (.zip) file and extract the contents.
IMPORTANT
The Windows Defender ATP configuration file contains sensitive information which should be kept secure.
Onboard devices for Windows Defender ATP

1. In the Configuration Manager console, navigate Assets and Compliance > Overview > Endpoint
Protection > Windows Defender ATP Policies and click Create Windows Defender ATP Policy. The
Windows Defender ATP Policy Wizard opens.
2. Type the Name and Description for the Windows Defender ATP policy and select Onboarding. Click
Next.
3. Browse to the Configuration file provided by your organization’s Windows Defender ATP cloud service
tenant. Click Next.
4. Specify the file samples that are collected and shared from managed devices for analysis.
None
All file types
Click Next.
5. Review the summary and complete the wizard.
6. You can now deploy the Windows Defender ATP policy to managed client computers by clicking Deploy.
Monitor Windows Defender ATP

1. In the Configuration Manager console, navigate Monitoring > Overview > Security and then click
Windows Defender ATP.
2. Review the Windows Defender Advanced Threat Protection dashboard.
Windows Defender Agent Deployment Status – The number and percentage of eligible
managed client computers with active Windows Defender ATP policy onboarded
Windows Defender ATP Agent Health – Percentage of computer clients reporting status for their
Windows Defender ATP agent
Healthy - Working properly
Inactive - No data sent to service during time period
Agent state - The system service for the agent in Windows isn't running
Not onboarded - Policy was applied but the agent has not reported policy onboard
How to create and deploy an offboarding configuration file

1. Logon to the Windows Defender ATP online service
2. Click on the Endpoint Management menu item.
3. Select System Center Configuration Manager (current branch) version 1606 and click Endpoint
offboarding.
4. Download the compressed archive (.zip) file and extract the contents. Offboarding files are valid for 30 days.
5. In the Configuration Manager console, navigate Assets and Compliance > Overview > Endpoint
Protection > Windows Defender ATP Policies and click Create Windows Defender ATP Policy. The
Windows Defender ATP Policy Wizard opens.
6. Type the Name and Description for the Windows Defender ATP policy and select Offboarding. Click
Next.
7. Browse to the Configuration file provided by your organization’s Windows Defender ATP cloud service
tenant. Click Next.
8. Review the summary and complete the wizard.
9. You can now deploy the Windows Defender ATP policy to managed client computers by clicking Deploy.
IMPORTANT
The Windows Defender ATP configuration files contains sensitive information which should be kept secure.

Troubleshoot Windows Defender Advanced Threat Protection onboarding issues
Create and deploy an Exploit Guard policy

You can configure and deploy Configuration Manager policies that manage all four components of Windows
Defender Exploit Guard. These components include:
Attack Surface Reduction
Controlled folder access
Exploit protection
Network protection
Compliance data for Exploit Guard policy deployment is available from within the Configuration Manager console.
NOTE
Prerequisites
Managed devices must run Windows 10 1709 Fall Creators Update or later and satisfy the following requirements
depending on the components and rules configured:
EXPLOIT GUARD COMPONENT ADDITIONAL PREREQUISITES
Attack Surface Reduction Devices must have Windows Defender AV real-time protection
enabled.
Controlled folder access Devices must have Windows Defender AV real-time protection
enabled.
Exploit protection None
Network protection Devices must have Windows Defender AV real-time protection

enabled.
Create an Exploit Guard policy

1. In the Configuration Manager console, go to Assets and compliance > Endpoint Protection, and then click
Windows Defender Exploit Guard.
2. On the Home tab, in the Create group, click Create Exploit Policy.
3. On the General page of the Create Configuration Item Wizard, specify a name, and optional description for
the configuration item.
4. Next, select the Exploit Guard components you want to manage with this policy. For each component you select,
you can then configure additional details.
Attack Surface Reduction: Configure the Office threat, scripting threats, and email threats you want to
block or audit. You can also exclude specific files or folders from this rule.
Controlled folder access: Configure blocking or auditing, and then add Apps that can bypass this
policy. You can also specify additional folders that are not protected by default.
Exploit protection: Specify an XML file that contains settings for mitigating exploits of system
processes and apps. You can export these settings from the Windows Defender Security Center app on a
Windows 10 device.
Network protection: Set network protection to block or audit access to suspicious domains.
5. Complete the wizard to create the policy, which you can later deploy to devices.
WARNING
The XML file for exploit protection should be kept secure when transferring it between machines. The file should be
deleted after import or kept in a secure location.
Deploy an Exploit Guard policy

After you create Exploit Guard policies, use the Deploy Exploit Guard Policy wizard to deploy them. To do so, open
the Configuration Manager console to Assets and compliance > Endpoint Protection, and then click Deploy
Exploit Guard Policy.
Windows Defender Exploit Guard policy settings

Attack Surface Reduction policies and options
Attack Surface Reduction can reduce the attack surface of your applications with intelligent rules that stop the
vectors used by Office, script, and mail-based malware. Learn more about Attack Surface Reduction and the Event
IDs used for it.
Files and Folders to exclude from Attack Surface Reduction rules - Click on Set and specify any files
or folders to exclude.
Email Threats:
Block executable content from email client and webmail.
Not configured
Block
Audit
Office Threats:
Block Office application from creating child processes.
Not configured
Block
Audit
Block Office applications from creating executable content.
Not configured
Block
Audit
Block Office applications from injecting code into other processes.
Not configured
Block
Audit
Block Win32 API calls from Office macros.
Not configured
Block
Audit
Scripting Threats:
Block JavaScript or VBScript from launching downloaded executable content.
Not configured
Block
Audit
Block execution of potentially obfuscated scripts.
Not Configured
Block
Audit
Ransomware threats: (starting in Configuration Manager version 1802)
Use advanced protection against ransomware.
Not configured
Block
Audit
Operating system threats: (starting in Configuration Manager version 1802)
Block credential stealing from the Windows local security authority subsystem.
Not configured
Block
Audit
Block executable files from running unless they meet a prevalence, age, or trusted list criteria.
Not configured
Block
Audit
External device threats: (starting in Configuration Manager version 1802)
Block untrusted and unsigned processes that run from USB.
Not configured
Block
Audit
Controlled folder access policies and options
Helps protect files in key system folders from changes made by malicious and suspicious apps, including file-
encrypting ransomware malware. Learn more about Controlled folder access and the Event IDs it uses.
Configure Controlled folder access:
Block
Block disk sectors only (starting in Configuration Manager version 1802)
Allows Controlled folder access to be enabled for boot sectors only and does not enable the
protection of specific folders or the default protected folders.
Audit
Audit disk sectors only (starting in Configuration Manager version 1802)
Allows Controlled folder access to be enabled for boot sectors only and does not enable the
protection of specific folders or the default protected folders.
Disabled
Allow apps through Controlled folder access -Click on Set and specify apps.
Additional protected folders -Click on Set and specify additional protected folders.
Exploit protection policies
Applies exploit mitigation techniques to operating system processes and apps your organization uses. These
settings can be exported from the Windows Defender Security Center app on Windows 10 devices. Learn more
about Exploit protection
Exploit protection XML: -Click on Browse and specify the XML file to import.
WARNING
The XML file for exploit protection should be kept secure when transferring it between machines. The file should be
deleted after import or kept in a secure location.
Network protection policy

Helps minimize the attack surface on devices from internet-based attacks. The service restricts access to suspicious
domains that might host phishing scams, exploits, and malicious content. Learn more about Network protection
Configure Network protection:
Block
Audit
Disabled
Create and deploy Windows Defender Application
Guard policy

You can create and deploy Windows Defender Application Guard policies by using the Configuration Manager
endpoint protection. These policies help protect your users by opening untrusted web sites in a secure isolated
container that is not accessible by other parts of the operating system.
Prerequisites
To create and deploy a Windows Defender Application Guard policy, you must use the Windows 10 Fall Creator’s
Update (1709). Also, the Windows 10 devices to which you deploy the policy must be configured with a network
isolation policy. For more information, see the Windows Defender Application Guard overview.
Create a policy, and to browse the available settings:

1. In the Configuration Manager console, choose Assets and Compliance.
2. In the Assets and Compliance workspace, choose Overview > Endpoint Protection > Windows Defender
Application Guard.
3. In the Home tab, in the Create group, click Create Windows Defender Application Guard Policy.
4. Using the article as a reference, you can browse and configure the available settings. Configuration Manager
allows you to set certain policy settings see host interaction settings and application behavior.
5. On the Network Definition page, specify the corporate identity, and define your corporate network
boundary.
NOTE
Windows 10 PCs store only one network isolation list on the client. You can create two different kinds of network
isolation lists and deploy them to the client:
one from Windows Information Protection
one from Windows Defender Application Guard
If you deploy both policies, these network isolation lists must match. If you deploy lists that don’t match to the same
client, the deployment will fail. For more information, see the Windows Information Protection documentation.
6. When you are finished, complete the wizard, and deploy the policy to one or more Windows 10 1709
devices.
Host interaction settings
Configures interactions between host devices and the Application Guard container. Before Configuration Manager
version 1802, both application behavior and host interaction were under the Settings tab.
Clipboard - Under settings prior to Configuration Manager 1802
Permitted content type
Text
Images
Printing:
Enable printing to XPS
Enable printing to PDF
Enable printing to local printers
Enable printing to network printers
Graphics: (starting with Configuration Manager version 1802)
Virtual graphics processor access
Files: (starting with Configuration Manager version 1802)
Save downloaded files to host
Application behavior settings
Configures application behavior inside the Application Guard session. Before Configuration Manager version
1802, both application behavior and host interaction were under the Settings tab.
Content:
Enterprise sites can load non-enterprise content, such as third-party plug-ins.
Other:
Retain user generated browser data
Audit security events in the isolated application guard session
Next steps
To read more about Windows Defender Application Guard: Windows Defender Application Guard Overview.
Windows Defender Application Guard FAQ.
Manage antimalware policies and firewall settings

Use the information in this topic to help you manage Endpoint Protection antimalware policies and Windows
Firewall policies, to perform on-demand scans, to force computers to download the latest available definitions, and
to remediate detected malware.
Manage antimalware policies

In the Assets and Compliance workspace, expand Endpoint Protection, choose Antimalware Policies, select
the antimalware policy that you want to manage, and then select a management task.
This table provides more information.
TASK DETAILS
Increase Priority If multiple antimalware policies are deployed to the same

computer, they are applied in order. Use this option to
increase the priority by which the selected antimalware policy
is applied. Use the Order column to see the order in which
the policies are applied.
The antimalware policy that has the highest priority is always

applied first.
Decrease Priority If multiple antimalware policies are deployed to the same

decrease the priority by which the selected antimalware policy
is applied. Use the Order column to view the order in which
the policies are applied.
Merge Merges the two selected antimalware policies. In the Merge

Policies dialog box, enter a name for the new, merged policy.
The Base policy is the antimalware policy that is merged with
this new antimalware policy.
Note: If two settings conflict, the most secure setting is

applied to computers.
Deploy Opens the Select Collection dialog box. Select the collection
to which you want to deploy the antimalware policy, and then
choose OK.
Manage Windows Firewall policies

In the Assets and Compliance workspace, choose Endpoint Protection > Windows Firewall Policies, select
the Windows Firewall policy that you want to manage, and then select a management task.
This table provides more information.
TASK DETAILS
Increase Priority If multiple Windows Firewall policies are deployed to the same
increase the priority by which the selected Windows Firewall
policy is applied. Use the Order column to view the order in
which the policies are applied.
Decrease Priority If multiple Windows Firewall policies are deployed to the same
decrease the priority by which the selected Windows Firewall
policy is applied. Use the Order column to view the order in
which the policies are applied.
Deploy Opens the Deploy Windows Firewall Policy dialog box

from where you can deploy the firewall policy to a collection.
How to perform an on-demand scan of computers

You can perform a scan of a single computer, multiple computers, or a collection of computers in the Configuration
Manager console. This scan occurs in addition to any scheduled scans.
NOTE
If any of the computers that you select do not have the Endpoint Protection client installed, the on-demand scan option is
unavailable.
To perform an on-demand scan of computers

1. In the Configuration Manager console, choose Assets and Compliance.
2. In the Devices or Device Collections node, select the computer or collection of computers that you want
to scan.
3. On the Home tab, in the Collection group, click Endpoint Protection, and then click Full Scan or Quick
Scan.
The scan will take place when the computer or collection of computers next downloads client policy. To
monitor the results from the scan, use the procedures in How to monitor Endpoint Protection in System
Center Configuration Manager.
How to force computers to download the latest definition files

You can force a single computer, multiple computers, or a collection of computers to download the latest definition
files from the Configuration Manager console.
NOTE
If any of the computers that you select do not have the Endpoint Protection client installed, the Download Definition
option is unavailable.
To force computers to download the latest definition files

1. In the Devices or Device Collections node, select the computer or collection of computers for which you
want to download definitions.
2. On the Home tab, in the Collection group, choose Endpoint Protection, and then click Download
Definition. The download will take place when the computer or collection of computers next downloads
client policy.
NOTE
Use the Endpoint Protection Status node under Security in the Monitoring workspace to discover clients that
have out-of-date definitions.
Remediate detected malware

When malware is detected on client computers, this will be displayed in the Malware Detected node under
Endpoint Protection Status under Security in the Monitoring workspace of the Configuration Manager
console. Select an item from the Malware Detected list, and then use one of the following management tasks to
remediate or allow the detected malware:
Allow this threat - Creates an antimalware policy to allow the selected malware. The policy is deployed to
the All Systems collection and can be monitored in the Client Operations node of the Monitoring
workspace.
Restore files quarantined by this threat - Opens the Restore quarantined files dialog box where you
can select one of the following options:
Run the allow-threat or exclusion operation first to assure that files are not put back into
quarantine - Restores the files that were quarantined because of the detected malware and also
excludes the files from malware scans. If you do not exclude the files from malware scans, they will
be quarantined again when the next scan runs.
Restore files without a dependency on the allow or exclusion job - Restores the quarantined
files but does not add them to the exclusion list.
View infected clients - Displays a list of all clients that were infected by the selected malware.
Exclude selected files or paths from scan - When you select this option from the malware details pane,
the Exclude files and paths dialog box opens where you can specify the files and folders that you want to
exclude from malware scans.
Example scenario: Using System Center Endpoint
Protection to protect computers from malware in
System Center Configuration Manager

This article provides an example scenario for how you can implement Endpoint Protection in Configuration
Manager to protect computers in an organization from malware attacks.
John is the Configuration Manager administrator at Woodgrove Bank. The bank currently uses System Center
Endpoint Protection to protect computers against malware attacks. Additionally, the bank uses Windows Group
Policy to ensure that the Windows Firewall is enabled on all computers in the company and that users are notified
when Windows Firewall blocks a new program.
John has been asked to upgrade the Woodgrove Bank antimalware software to System Center Endpoint
Protection so that the bank can benefit from the latest antimalware features and be able to centrally manage the
antimalware solution from the Configuration Manager console. This implementation has the following
requirements:
Use Configuration Manager to manage the Windows Firewall settings that are currently managed by
Group Policy.
Use Configuration Manager software updates to download malware definitions to computers. If software
updates are not available, for example if the computer is not connected to the corporate network,
computers must download definition updates from Microsoft Update.
Users' computers must perform a quick malware scan every day. Servers, however, must run a full scan
every Saturday, outside business hours, at 1 A.M.
Send an email alert whenever any one of the following events occurs:
Malware is detected on any computer
The same malware threat is detected on more than 5 percent of computers
The same malware threat is detected more than 5 times in any 24-hour period
More than 3 different types of malware are detected in any 24-hour period
Uninstall the existing antimalware solution.
John then does the following steps to implement Endpoint Protection:
Steps to implement Endpoint Protection

PROCESS REFERENCE
John reviews the available information about the basic For overview information about Endpoint Protection, see
concepts for Endpoint Protection in Configuration Manager. Endpoint Protection in System Center Configuration Manager.
PROCESS REFERENCE
John reviews and implements the required prerequisites to For information about the prerequisites for Endpoint
use Endpoint Protection. Protection, see Planning for Endpoint Protection.
John installs the Endpoint Protection site system role on one For more information about how to install the Endpoint
site system server only, at the top of the Woodgrove Bank Protection site system role, see "Prerequisites" in Configure
hierarchy. Endpoint Protection.
John configures Configuration Manager to use an SMTP For more information, see Configure alerts in Endpoint
server to send the email alerts. Protection.
Note: You must configure an SMTP server only if you want to

be notified by email when an Endpoint Protection alert is
generated.
John creates a device collection that contains all computers For more information about how to create collections, see
and servers to install the Endpoint Protection client. He names How to create collections in System Center Configuration
this collection All Computers Protected by Endpoint Manager
Protection.
Tip: You cannot configure alerts for user collections.
He configures the following alerts for the collection: See "Configure Alerts for Endpoint Protection" in Configuring
Endpoint Protection in System Center Configuration Manager.
1) Malware is detected: John configures an alert severity of
Critical.
2) The same type of malware is detected on a number of

computers: John configures an alert severity of Critical and
specifies that the alert will be generated when more than 5
percent of computers have malware detected.
3) The same type of malware is repeatedly detected

within the specified interval on a computer: John
configures an alert severity of Critical and specifies that the
alert will be generated when malware is detected more than 5
times in a 24-hour period.
4) Multiple types of malware are detected on the same

computer within the specified interval: John configures an
alert severity of Critical and specifies that the alert will be
generated when more than 3 types of malware are generated
in a 24-hour period.
The value for Alert Severity indicates the alert level that will
be displayed in the Configuration Manager console and in
alerts that he receives in an email message.
He additionally selects the option View this collection in the

Endpoint Protection dashboard so that he can monitor the
alerts in the Configuration Manager console.
John configures Configuration Manager software updates to For more information, see the "Using Configuration Manager
download and deploy definition updates three times a day by Software Updates to Deliver Definition Updates" section in
using an automatic deployment rule. Use Configuration Manager software updates to deliver
definition updates.
PROCESS REFERENCE
John examines the settings in the default antimalware policy, See How to create and deploy antimalware policies for
which contains recommended security settings from Endpoint Protection in System Center Configuration Manager.
Microsoft. For computers to perform a quick scan every day
to, he changes the following settings:
1) Run a daily quick scan on client computers: Yes.
2) Daily quick scan schedule time: 9:00 AM.
John notes that Updates distributed from Microsoft

Update is selected by default as a definition update source.
This fulfills the business requirement that computers
download definitions from Microsoft Update when they
cannot receive Configuration Manager software updates.
John creates a collection that contains only the Woodgrove See How to create collections in System Center Configuration
Bank servers named Woodgrove Bank Servers. Manager
John creates a custom antimalware policy named See How to create and deploy antimalware policies for
Woodgrove Bank Server Policy. He adds only the settings Endpoint Protection in System Center Configuration Manager.
for Scheduled scans and makes the following changes:
Scan type: Full
Scan day: Saturday
Scan time: 1:00 AM
Run a daily quick scan on client computers: No.
John deploys the Woodgrove Bank Server Policy custom See "To deploy an antimalware policy to client computers"
antimalware policy to the Woodgrove Bank Servers How to create and deploy antimalware policies for Endpoint
collection. Protection article.
John creates a new set of custom client device settings for For more information, see Configure Custom Client Settings
Endpoint Protection and names these Woodgrove Bank for Endpoint Protection.
Endpoint Protection Settings.
Note: If you do not want to install and enable Endpoint

Protection on all clients in your hierarchy, make sure that the
options Manage Endpoint Protection client on client
computers and Install Endpoint Protection client on client
computers are both configured as No in the default client
settings.
PROCESS REFERENCE
He configures the following settings for Endpoint Protection: For more information, see Configure Custom Client Settings
for Endpoint Protection.
Manage Endpoint Protection client on client computers:
Yes
This setting and value ensures that any existing Endpoint

Protection client that is installed becomes managed by
Install Endpoint Protection client on client computers:

Yes.
Note Starting in Configuration Manager 1802, Windows 10

devices do not need to have the Endpoint Protection agent
installed. If it is already installed on Windows 10 devices,
Configuration Manager will not remove it. Administrators can
remove the Endpoint Protection agent on Windows 10
devices that are running at least the 1802 client version.
Automatically remove previously installed antimalware

software before Endpoint Protection is installed: Yes.
This setting and value fulfills the business requirement that

the existing antimalware software is removed before Endpoint
Protection is installed and enabled.
John deploys the Woodgrove Bank Endpoint Protection See "Configure Custom Client Settings for Endpoint
Settings client settings to the All Computers Protected by Protection" in Configuring Endpoint Protection in
Endpoint Protection collection. Configuration Manager.
John uses the Create Windows Firewall Policy Wizard to create See How to create and deploy Windows Firewall policies for
a policy by configuring the following settings for the domain Endpoint Protection in System Center Configuration Manager
profile:
1) Enable Windows Firewall: Yes
2)
Notify the user when Windows Firewall blocks a new
program: Yes
John deploys the new firewall policy to the collection All See "To deploy a Windows Firewall policy" in the How to create
Computers Protected by Endpoint Protection that he and deploy Windows Firewall policies for Endpoint Protection
created earlier. in System Center Configuration Manager
John uses the available management tasks for Endpoint See How to manage antimalware policies and firewall settings
Protection to manage antimalware and Windows Firewall for Endpoint Protection in System Center Configuration
policies, perform on-demand scans of computers when Manager
necessary, force computers to download the latest definitions,
and to specify any further actions to take when malware is
detected.
PROCESS REFERENCE
John uses the following methods to monitor the status of See How to monitor Endpoint Protection in System Center
Endpoint Protection and the actions that are taken by Configuration Manager
Endpoint Protection:
1) By using the Endpoint Protection Status node under

Security in the Monitoring workspace.
2) By using the Endpoint Protection node in the Assets and

Compliance workspace.
3) By using the built-in Configuration Manager reports.
John reports a successful implementation of Endpoint Protection to his manager, and confirms that the computers
at Woodgrove Bank are now protected from antimalware, according to the business requirements that he was
given.
Endpoint Protection Client Help

This version of Windows Defender or Endpoint Protection includes the following features to help protect your
computer from threats:
Windows Firewall integration. Endpoint Protection setup enables you to turn on or off Windows Firewall.
Network Inspection System. This feature enhances real-time protection by inspecting network traffic to help
proactively block exploitation of known network-based vulnerabilities.
Protection engine. Real-time protection finds and stops malware from installing or running on your PC. The
updated engine offers enhanced detection and cleanup capabilities with better performance.
Windows Defender comes as part of the Windows 10 operating system. On earlier versions of Windows, your
administrator can provide either Windows Defender or Endpoint Protection using management software.
You can also find a list of frequently asked questions for Windows Defender and Endpoint Protection. For help
troubleshooting, see Troubleshooting Windows Defender or Endpoint Protection client. For a list of new features,
see What's new Windows Defender client.
Windows Firewall integration

Windows Firewall can help prevent attackers or malicious software from gaining access to your computer through
the Internet or a network. Now when you install Endpoint Protection, the installation wizard verifies that Windows
Firewall is turned on. If you have intentionally turned off Windows Firewall, you can avoid turning it on by clearing
a check box. You can change your Windows Firewall settings at any time via the System and Security settings in
Control Panel.
Network Inspection System

Attackers are increasingly carrying out network-based attacks against exposed vulnerabilities before software
vendors can develop and distribute security updates. Studies of vulnerabilities show that it can take a month or
longer from the time of an initial attack report before a suitable security update is developed, tested, and released.
This gap in protection leaves many computers vulnerable to attacks and exploitation for a substantial period of
time. Network Inspection System works with real-time protection to better protect you against network-based
attacks by greatly reducing the timespan between vulnerability disclosures and update deployment from weeks to
a few hours.
Award-winning protection engine

Under the hood of Windows Defender or Endpoint Protection is its award-winning protection engine that is
updated regularly. The engine is backed by a team of antimalware researchers from the Microsoft Malware
Protection Center, providing responses to the latest malware threats 24 hours a day.
Windows Defender settings

Windows Defender settings enable settings that help protect your PC from malicious software. Your administrator
might manage some Windows Defender settings for you. You can manage others using the Windows Defender
settings. We recommend you enable Windows Defender settings to help protect your PC and data.
To view Windows Defender settings, search for Windows Defender on your PC. Open Windows Defender and
select Settings. Windows Defender settings include:
Real-time protection - Find and stop malware from installing or running on your PC.
Cloud-based Protection - Windows Defender sends info to Microsoft about potential security threats.
Automatic sample submission - Allow Windows Defender to send samples of suspicious files to Microsoft to
help improve malware detection.
Exclusions - You can exlude specific files, folders, file extensions, or processes from Windows Defender
scanning.
Enhanced notification - Enables notifications that inform about the health of your PC. Even Off you will
receive critical notifications.
Windows Defender Offline - You can run Windows Defender Offline to help find and remove malicious
software. This scan will restart your PC and will take about 15 minutes.
See also
Endpoint Protection client frequently asked questions
Troubleshooting Windows Defender or Endpoint Protection client
Troubleshooting Windows Defender or Endpoint
Protection client

If you encounter problems with Windows Defender or Endpoint Protection, contact your security administrator for
support. You can also try to troubleshoot the following problems:
Update Windows Defender or Endpoint Protection
Starting Windows Defender or Endpoint Protection service
Internet connection issues
Detected threat can't be remediated
Install the Endpoint Protection client
Update Windows Defender or Endpoint Protection

Windows Defender or Endpoint Protection works automatically with Microsoft Update to ensure that your virus
and spyware definitions are kept up to date.
Symptoms
This article addresses common issues with automatic updates, including the following situations:
You see error messages indicating that updates have failed.
When you check for updates, you receive an error message that the virus and spyware definition updates
cannot be checked, downloaded, or installed.
Even though you are connected to the Internet, the updates fail.
Updates are not automatically installing as scheduled.
Cause
The most common causes for update issues are problems with Internet connectivity. However, if you know
you are connected to the Internet because you can browse to other Web sites, the issue might be caused by
conflicts with your settings in Windows Internet Explorer.
IMPORTANT
You have to exit Internet Explorer to complete these steps. Therefore, print them, write them down, or copy them to another
file, and then bookmark this topic for future access.
Step 1: Reset your Internet Explorer settings

1. Exit all open programs, including Internet Explorer.
NOTE
Resetting these settings in Internet Explorer deletes your temporary files, cookies, browsing history, and your online
passwords. But, your favorites are not deleted.
2. Click Start and search for inetcpl.cpl, and then press Enter.
3. In the Internet Options dialog box, click the Advanced tab.
4. Under the Reset Internet Explorer settings, click Reset, and then click Reset again.
5. Wait until Internet Explorer finishes resetting the settings, and then click OK.
6. Open Internet Explorer.
7. Open Microsoft Security Essentials, click the Update tab, and then click Update.
8. If the issue persists, proceed to the next step.
Step 2: Set Internet Explorer as the default browser
1. Exit all open programs, including Internet Explorer.
2. Click Start and search for inetcpl.cpl, and then press Enter.
3. In the Internet Options dialog box, click the Programs tab.
4. Under Default Web browser, click Make default.
5. Click OK.
6. Open Windows Defender or Endpoint Protection. Click the Update tab, and then click Update.
Step 3: Ensure that the date and time are set correctly on your computer
1. Open Windows Defender or Endpoint Protection.
2. If the error message that you received contains the code 0x80072f8f, the problem is most likely caused by
an incorrect date or time setting on your computer.
3. To reset your computer's date or time setting, follow the steps in Fix broken desktop shortcuts and common
system maintenance tasks (http://go.microsoft.com/fwlink/?LinkId=155579).
Step 4: Rename the Software Distribution folder on your computer
1. Stop the Automatic Updates service
a. Click Start and search for services.msc, and then click OK.
b. Right-click the Automatic Updates service, and then click Stop.
c. Minimize the Services snap-in.
2. Rename the SoftwareDistribution directory as follows:
a. Click Start and search for cmd, and then click OK.
b. Type cd %windir%, and then press Enter.
c. Type ren SoftwareDistribution SDTemp, and then press Enter.
d. Type exit, and then press Enter.
3. Start the Automatic Updates service as follows:
a. Maximize the Services snap-in.
b. Right-click Automatic Updates service, and then click Start.
c. Close the Services snap-in window.
Step 5: Reset the Microsoft antivirus update engine on your computer
1. Click Start and search for cmd, and then click OKand then right-click Command Prompt, and then select
Run as administrator.
2. In the Command Prompt window, type the following commands and press Enter after each command:
Cd\
Cd program files\windows defender
Mpcmdrun -RemoveDefinitions -all
Exit
3. Restart your computer.
4. Open Windows Defender or
Endpoint Protection, click the Update tab, and then click Update.
Step 6: Manually install the virus and spyware definition updates
If you are running a 32-bit Windows operating system, download the latest updates manually at
http://go.microsoft.com/fwlink/?LinkID=87342 (http://go.microsoft.com/fwlink/?LinkID=87342).
If you are running a 64-bit Windows operating system, download the latest updates manually at
http://go.microsoft.com/fwlink/?LinkID=87341 (http://go.microsoft.com/fwlink/?LinkID=87341).
Click Run. The latest updates are manually installed on your computer.
Step 7: Contact Support
If the steps did not resolve the issue, contact support. For more information, see Customer Support
(http://go.microsoft.com/fwlink/?LinkID=196174).
Starting Windows Defender or Endpoint Protection service

Symptom
You receive a message notifying you that Windows Defender or Endpoint Protection isn't monitoring your
computer because the program's service stopped. You should restart it now.
Solution
Step 1: Restart your computer.
Close all applications and restart your computer.
Step 2: Make sure the "Windows Defender" or "Endpoint Protection service" is set to automatic and is started
1. Click Start and search for services.msc, and then press Enter.
2. Search for Microsoft Antimalware Service. Right click it and select Properties or double-click it to open
the service.
3. Check to make sure that the "Startup Type" is set to "Automatic".
4. Click the Start button to start the service. If the Start button is not available, click the Stop button, and then
click the Start button to restart the service.
5. Make sure you note any errors that may appear during this process, submit a case online, and include the
error information.
Step 3: Remove any existing Internet security programs
1. Click Start and search for appwiz.cpl, and then press Enter.
2. In the list of installed programs, uninstall any third-party Internet security programs.*
3. Restart your computer, and then try to install Windows Defender or
Endpoint Protection again.
NOTE
Some Internet security applications do not uninstall completely. You may need to download and run a cleanup utility for your
previous security application in order for it to be completely removed.
Cau t i on
When you remove Internet security programs, your computer is unprotected. If you have problems installing
Endpoint Protection after you remove existing Internet security programs, contact Windows Defender or
Endpoint Protection support by submitting a case online (for more information, see How to Submit a Case
Online).
Step 4: Uninstall/reinstall Endpoint Protection
1. Click Start and search for appwiz.cpl, and then press Enter.
2. In the list of installed programs, click Endpoint Protection, and then uninstall it.
3. If prompted, restart your computer, and then try to install Endpoint Protection again.
Internet connection issues

In order to make sure that your computer receives the latest updates from Windows Update, you must be
connected to the Internet.
Step 1: Verify that your computer is connected to the Internet
1. Click Startand search for ncpa.cpl, and then press Enter.
2. Right-click the connection name and then click Status.
3. If your computer is connected, in Windows XP the connection status will appear as Connected, Enabled,
or Authentication succeeded. In Windows Vista and Windows 7, the IPv4 status will appear as Internet.
4. If your computer doesn't appear to be connected, right-click the connection name, and then click Connect,
Enable, Authenticate, or Repair.
Step 3: Restart your computer
Close any open programs and restart your computer.
Step 4: If you still can't connect to the Internet, check your connections
1. If you use a dial-up connection, make sure the telephone cord connection in the wall jack and in your
modem are firmly connected.
2. If you use a cable modem, make sure the cable connection to the modem and the connection from the
modem to your computer are firmly connected.
3. If you use a cable modem or DSL router, make sure the connections to the router and to the computer are
firmly connected. Try unplugging and turning off the router and modem. Wait a few minutes, plug in the
modem in first, wait one minute, then plug in the router, and restart your computer.
Detected threat can't be remediated

When Windows Defender or Endpoint Protection detects a potential threat that's hiding inside a compressed file
with a .zip file name extension or within a network share, it tries to deal with the threat by quarantining or
removing the threat.
Remove or scan the file
If the detected threat was in a .zip file, browse to the .zip file, and then either remove the file or scan it by
right-clicking the file and selecting Scan with Windows Defender or Scan with Endpoint Protection. If
Windows Defender or Endpoint Protection detects additional threats in the file, it notifies you about these
threats and enables you to choose an appropriate action.
If the detected threat was in a network share, browse to the network share and scan it by right-clicking the
file and selecting Scan with Windows Defender or Scan with Endpoint Protection. If Windows
Defender or Endpoint Protection detects additional threats in the network share, it notifies you about these
threats and enables you to choose an appropriate action.
If you're not sure of the file's origin, one of the best solutions is to run a full scan on your computer. A full
scan may take some time to complete, but it makes it possible for Windows Defender or Endpoint
Protection to look for the source of the infection and clean it.
Install the Endpoint Protection client

NOTE
Windows Defender is installed with the operating system on Windows 10 PC's.
Symptoms
Installation fails for an unknown reason, or you receive an error message with error code, such as 0x80070643,
0X8007064A, 0x8004FF2E, 0x8004FF01, 0x8004FF07, 0x80070002, 0x8007064C, 0x8004FF00, 0x80070001,
0x80070656, 0x8004FF40, 0xC0000156, 0x8004FF41 0x8004FF0B, 0x8004FF11, 0x80240022, 0x8004FF04,
0x80070660, 0x800106B5, 0x80070715, 0x80070005, 0x8004EE00, 0x8007003, 0x800B0100, 0x8007064E, or
0x8007007E.
If your computer is running Windows XP Service Pack 2 (SP2), you might see one or more of the following error
messages:
Installation Wizard is missing a filter manager rollup package needed to complete the installation.
KB914882 Setup Error, Setup cannot update your Windows XP files because the language installed on your
system is different from the update language.
Cause
Endpoint Protection cannot be installed on a computer that is running other security programs. Sometimes,
even if you remove other security programs, they do not completely uninstall. You must be running a
genuine version of the Windows operating system to install Endpoint Protection.
Solution
IMPORTANT
You will need to restart your computer while resolving this issue. Bookmark this page (mark it as a Favorite) to make it easier
to find this topic again or print it for easy reference.
Step 1: Remove any existing security programs

Endpoint Protection only
1. Completely uninstall any existing Internet security programs.
2. Restart your computer.
3. Install Endpoint Protection again. If this does not resolve the issue, continue to the next step.
Step 2: Ensure that the Windows Installer service is running
1. Click Start and search for services.msc, and then press Enter.
2. Right-click Windows Installer, and then click Start. If Start is unavailable and the Stop and Restart
options are available, this tells you that the service is already started.
3. On the Services page, on the File menu, click Exit.
4. Click Start and search for command prompt. Right-click Command Prompt, and then click Run as
administrator.
5. Type MSIEXEC /REGSERVER, and then press Enter.
NOTE
There is no indication that this command has succeeded or failed.
6. Install Endpoint Protection again. If this does not resolve the issue, continue to the next step.
Step 3: Start Windows in Selective Startup mode
1. Click Start and search for msconfig, and then press Enter.
2. On the General tab, click Selective Startup, and then clear the Load Startup Items check box.
3. On the Services tab, select the Hide All Microsoft Services check box, and then clear all the check boxes
for the services that remain in the list.
4. Click OK, and then click Restart to restart the computer.
5. Try to install Endpoint Protection again.
See also

This FAQ is for computer users whose IT administrator has deployed Windows Defender or Endpoint Protection
to their managed computer. The content here might not apply to other antimalware software. Microsoft System
Center Endpoint Protection manages Windows Defender on Windows 10. It can also deploy and manage the
Endpoint Protection client to computers before Windows 10. While Windows Defender is described in this article,
its information also applies to Endpoint Protection.
Why do I need antivirus and antispyware software?
How can I tell if my computer is infected with malicious software?
How can I find the version of Windows Defender?
What should I do if Windows Defender or Endpoint Protection detects malicious software on my computer?
What is a virus?
What is a spyware?
What's the difference between viruses, spyware, and other potentially harmful software?
Where do viruses, spyware, and other potentially unwanted software come from?
Can I get malicious software without knowing it?
Why is it important to review license agreements before installing software?
What's the difference between Endpoint Protection and Windows Defender?
Why doesn't Windows Defender detect cookies?
How can I prevent malware?
What are virus and spyware definitions?
How do I keep virus and spyware definitions up to date?
How do I remove or restore items quarantined by Windows Defender or Endpoint Protection?
What is real-time protection?
How do I know that Windows Defender or Endpoint Protection is running on my computer?
How to set up Windows Defender or Endpoint Protection alerts?
Why do I need antivirus and antispyware software?

It is critical to make sure that your computer is running software that protects against malicious software.
Malicious software, which includes viruses, spyware, or other potentially unwanted software can try to install itself
on your computer any time you connect to the Internet. It can also infect your computer when you install a
program using a CD, DVD, or other removable media. Malicious software, can also be programmed to run at
unexpected times, not just when it is installed.
Windows Defender or Endpoint Protection offers three ways to help keep malicious software from infecting your
computer:
Using real-time protection - Real-time protection enables Windows Defender to monitor your computer
all the time and alert you when malicious software, including viruses, spyware, or other potentially
unwanted software attempts to install itself or run on your computer. Windows Defender then suspends the
software and enables you to you to follow its recommendation on the software or take an alternative action.
|Real-time protection option |Purpose |
|-|-|
|Scan all downloads|This option monitors files and programs that are downloaded, including files that are
automatically downloaded via Windows Internet Explorer and Microsoft Outlook® Express, such as
ActiveX® controls and software installation programs. These files can be downloaded, installed, or run by
the browser itself. Malicious software, including viruses, spyware, and other potentially unwanted software,
can be included with these files and installed without your knowledge.
Using the real-time protection option, Windows Defender monitors your computer all the time and checks
for any malicious files or programs that you may have downloaded. This monitoring feature means that
Windows Defender doesn't need to slow down your browsing or e-mail experience by requiring a check of
any files or programs you may want to download.|
|Monitor file and program activity on your computer|This option monitors when files and programs start
running on your computer, and then it alerts you about any actions they perform and actions taken on
them. This is important, because malicious software can use vulnerabilities in programs that you have
installed to run malicious or unwanted software without your knowledge. For example, spyware can run
itself in the background when you start a program that you frequently use. Windows Defender monitors
your programs and alerts you if it detects suspicious activity.|
|Enable behavior monitoring|This option monitors collections of behavior for suspicious patterns that might
not be detected by traditional antivirus detection methods.|
|Enable Network Inspection System|This option helps protect your computer against "zero day" exploits of
known vulnerabilities, decreasing the window of time between the moment a vulnerability is discovered
and an update is applied.|
Scanning options - You can use Windows Defender to scan for potential threats, such as viruses, spyware,
and other malicious software that might put your computer at risk. You can also use it to schedule scans on
a regular basis and to remove malicious software that is detected during a scan.
Microsoft Active Protection Service community - The online Microsoft Active Protection Service
community helps you see how other people respond to software that has not yet been classified for risks.
You can use this information to help you choose whether to allow this software on your computer. In turn, if
you participate, your choices are added to the community ratings to help other people decide what to do.
How can I tell if my computer is infected with malicious software?

You might have some form of malicious software, including viruses, spyware, or other potentially unwanted
software, on your computer if:
You notice new toolbars, links, or favorites that you did not intentionally add to your Web browser.
Your home page, mouse pointer, or search program changes unexpectedly.
You type the address for a specific site, such as a search engine, but you are taken to a different Web site
without notice.
Files are automatically deleted from your computer.
Your computer is used to attack other computers.
You see pop-up ads, even if you're not on the Internet.
Your computer suddenly starts running more slowly than it usually does. Not all computer performance
problems are caused by malicious software, but malicious software, especially spyware, can cause a
noticeable change.
There might be malicious software on your computer even if you don't see any symptoms. This type of software
can collect information about you and your computer without your knowledge or consent. To help protect your
privacy and your computer, you should run Windows Defender or Endpoint Protection at all times.
How can I find the version of Windows Defender?

To view the version of Windows Defender running on your computer, open Windows Defender (click Start and
then search for Windows Defender), click Settings, and scroll to the bottom of the Windows Defender settings
to find Version info.
What should I do if Windows Defender or Endpoint Protection detects

malicious software on my computer?
If Windows Defender detects malicious software or potentially unwanted software on your computer (either when
monitoring your computer using real-time protection or after running a scan), it notifies you about the detected
item by displaying a notification message in the bottom right-hand corner of your screen.
The notification message includes a Clean computer button and a Show details link that lets you view
additional information about the detected item. Click the Show details link to open the Potential threat details
window to get additional information about the detected item. You can now choose which action to apply to the
item, or click Clean computer. If you need help determining which action to apply to the detected item, use the
alert level that Windows Defender assigned to the item as your guide (for more information see, Understanding
alert levels).
Alert levels help you choose how to respond to viruses, spyware, and other potentially unwanted software. While
Windows Defender will recommend that you remove all viruses and spyware, not all software that is flagged is
malicious or unwanted. The following information can help you decide what to do if Windows Defender detects
potentially unwanted software on your computer.
Depending on the alert level, you can choose one of the following actions to apply to the detected item:
Remove - This action permanently deletes the software from your computer.
Quarantine - This action quarantines the software so that it can't run. When Windows Defender
quarantines software, it moves it to another location on your computer, and then prevents the software
from running until you choose to restore it or remove it from your computer.
Allow - This action adds the software to the Windows Defender allowed list and allows it to run on your
computer. Windows Defender will stop alerting you to risks that the software might pose to your privacy or
to your computer.
If you choose Allow for an item, such as software, Windows Defender will stop alerting you to risks that
the software might pose to your privacy or to your computer. Therefore, add software to the allowed list
only if you trust the software and the software publisher.
How to remove potentially harmful software
To remove all unwanted or potentially harmful items that Windows Defender detects quickly and easily, use the
Clean computer option.
1. When you see the notification message that displays in the Notification area after it detects potential
threats, click Clean computer.
2. Windows Defender removes the potential threat (or threats), and then notifies you when it's finished
cleaning your computer.
3. To learn more about the detected threats, click the History tab, and then select All detected items.
4. If you don't see all the detected items, click View details. If you're prompted for an administrator password
or confirmation, type the password or confirm the action. On systems running Windows XP, you may need
to log on as an administrator on this computer.
NOTE
During computer cleanup, whenever possible, Windows Defender removes only the infected part of a file, not the entire file.
What is a virus?
Computer viruses are software programs deliberately designed to interfere with computer operation, to record,
corrupt, or delete data, or to infect other computers throughout the Internet. Viruses often slow things down and
cause other problems in the process.
What is spyware?
Spyware is software that can install itself or run on your computer without getting your consent or providing you
with adequate notice or control. Spyware might not display symptoms after it infects your computer, but many
malicious or unwanted programs can affect how your computer runs. For example, spyware can monitor your
online behavior or collect information about you (including information that can identify you or other sensitive
information), change settings on your computer, or cause your computer to run slowly.
What's the difference between viruses, spyware, and other potentially

harmful software?
Both viruses and spyware are installed on your computer without your knowledge and both have the potential to
be intrusive and destructive. They also have the ability to capture information on your computer and damage or
delete that information. They both can negatively affect your computer's performance.
The main differences between viruses and spyware is how they behave on your computer. Viruses, like living
organisms, want to infect a computer, replicate, and then spread to as many other computers as possible. Spyware,
however, is more like a mole - it wants to "move into" your computer and stay there as long as possible, sending
valuable information about your computer to an outside source while it is there.
Where do viruses, spyware, and other potentially unwanted software

come from?
Unwanted software, such as viruses, can be installed by Web sites or by programs that you download or that you
install using a CD, DVD, external hard disk, or a device. Spyware is most commonly installed through free
software, such as file sharing, screen savers, or search toolbars.
Can I get malicious software without knowing it?

Yes, some malicious software can be installed from a website through an embedded script or program in a
webpage. Some malicious software requires your help to install it. This software uses Web pop-ups or free
software that requires you to accept a downloadable file. However, if you keep Microsoft Windows® up to date
and don't reduce your security settings, you can minimize the chances of an infection.
Why is it important to review license agreements before installing

software?
When you visit websites, do not automatically agree to download anything the site offers. If you download free
software, such as file sharing programs or screen savers, read the license agreement carefully. Look for clauses
that say that you must accept advertising and pop-ups from the company, or that the software will send certain
information back to the software publisher.
What's the difference between Endpoint Protection and Windows

Defender?
Endpoint Protection is antimalware software, which means that it's designed to detect and help protect your
computer against a wide range of malicious software, including viruses, spyware, and other potentially unwanted
software. Windows Defender, which is automatically installed with your Windows operating system, is software
that detects and stops spyware.
Why doesn't Windows Defender detect cookies?

Cookies are small text files that websites put on your computer to store information about you and your
preferences. Websites use cookies to offer you a personalized experience and to gather information about website
use. Windows Defender doesn't detect cookies because it doesn't consider them a threat to your privacy or to the
security of your computer. Most internet browser programs allow you to block cookies.
How can I prevent malware?

Two of the biggest concerns for computer users today are viruses and spyware. In both cases, while these can be a
problem, you can defend yourself against them easily enough with just a little bit of planning:
Keep your computer's software current and remember to install all patches. Remember to update your
operating system on a regular basis.
Make sure your antivirus and antispyware software, Windows Defender, is using the latest updates again
potential threats (see How do I keep virus and spyware definitions up to date?). Also make sure you're
always using the latest version of Windows Defender.
Only download updates from reputable sources. For Windows operating systems, always go to Microsoft
Update (http://go.microsoft.com/fwlink/?LinkID=96304) and for other software always use the legitimate
websites of the company or person who produces it.
If you receive an e-mail with an attachment and you're unsure of the source, then you should delete it
immediately. Don't download any applications or files from unknown sources, and be careful when trading
files with other users.
Install and use a firewall. It is recommended that you enable Windows Firewall.
What are virus and spyware definitions?

When you use Windows Defender or Endpoint Protection, it is important to have up-to-date virus and spyware
definitions. Definitions are files that act like an ever-growing encyclopedia of potential software threats. Windows
Defender or Endpoint Protection uses definitions to determine if software that it detects is a virus, spyware, or
other potentially unwanted software, and then to alert you to potential risks. To help keep your definitions up to
date, Windows Defender or Endpoint Protection works with Microsoft Update to install new definitions
automatically as they are released. You can also set Windows Defender or Endpoint Protection to check online for
updated definitions before scanning.
How do I keep virus and spyware definitions up to date?

Virus and spyware definitions are files that act like an encyclopedia of known malicious software, including
viruses, spyware, and other potentially unwanted software. Because malicious software is continually being
developed, Windows Defender or Endpoint Protection relies on up-to-date definitions to determine if software
that is trying to install, run, or change settings on your computer is a virus, spyware, or other potentially unwanted
software.
To automatically check for new definitions before scheduled scans (recommended)
1. Open Windows Defender or Endpoint Protection client by clicking the icon in the notification area or
launching it from the Start menu.
2. Click Settings, and then click Scheduled scan.
3. Make sure the Check for the latest virus and spyware definitions before running a scheduled scan
check box is selected, and then click Save changes. If you're prompted for an administrator password or
confirmation, type the password or confirm the action.
To check for new definitions manually
Windows Defender or Endpoint Protection updates the virus and spyware definitions on your computer
automatically. If the definitions haven't been updated for over seven days (for example, if you didn't turn on your
computer for a week), Windows Defender or Endpoint Protection will notify you that the definitions are out of
date.
1. Open Windows Defender or Endpoint Protection client by clicking the icon in the notification area or
launching it from the Start menu.
2. To check for new definitions manually, click the Update tab and then click Update definitions.
How do I remove or restore items quarantined by Windows Defender

or Endpoint Protection?
When Windows Defender or Endpoint Protection quarantines software, it moves the software to another location
on your computer, and then it prevents the software from running until you choose to restore it or to remove it
from your computer.
For all the steps mentioned in this procedure, if you're prompted for an administrator password or confirmation,
type the password or provide confirmation.
To remove or restore items quarantined by Windows Defender or Endpoint Protection
1. Click the History tab, select Quarantined items, and then select the Quarantined items option.
2. Click View details to see all of the items.
3. Review each item, and then for each, click Remove or Restore. If you want to remove of the all quarantined
items from your computer, click Remove All.
What is real-time protection?

Real-time protection enables Windows Defender to monitor your computer all the time and alert you when
potential threats, such as viruses and spyware, are trying to install themselves or run on your computer. Because
this feature is an important element of the way that Windows Defender helps protect your computer, you should
make sure real-time protection is always turned on. If real-time protection gets turned off, Windows Defender
notifies you, and changes your computer's status to at risk.
Whenever real-time protection detects a threat or potential threat, Windows Defender displays a notification. You
can now choose from the following options:
Click Clean computer to remove the detected item. Windows Defender will automatically remove the item
from your computer.
Click the Show details link to display the Potential threat details window, and then choose which action to
apply to the detected item.
You can choose the software and settings that you want Windows Defender to monitor, but we recommend
that you turn on real-time protection and enable all real-time protection options. The following table
explains the available options.
Real-time protection option Purpose
Scan all downloads This option monitors files and programs that are downloaded,
including files that are automatically downloaded via Windows
Internet Explorer and Microsoft Outlook® Express, such as
ActiveX® controls and software installation programs. These
files can be downloaded, installed, or run by the browser itself.
Malicious software, including viruses, spyware, and other
potentially unwanted software, can be included with these
files and installed without your knowledge.
Using the real-time protection option, Windows Defender

monitors your computer all the time and checks for any
malicious files or programs that you may have downloaded.
This monitoring feature means that Windows Defender
doesn't need to slow down your browsing or e-mail
experience by requiring a check of any files or programs you
may want to download.
Monitor file and program activity on your computer This option monitors when files and programs start running
on your computer, and then it alerts you about any actions
they perform and actions taken on them. This is important,
because malicious software can use vulnerabilities in programs
that you have installed to run malicious or unwanted software
without your knowledge. For example, spyware can run itself
in the background when you start a program that you
frequently use. Windows Defender monitors your programs
and alerts you if it detects suspicious activity.
Enable behavior monitoring This option monitors collections of behavior for suspicious
patterns that might not be detected by traditional antivirus
detection methods.
Enable Network Inspection System This option helps protect your computer against â€œzero
dayâ€ exploits of known vulnerabilities, decreasing the
window of time between the moment a vulnerability is
discovered and an update is applied.
To turn off real-time protection

1. Click Settings, and then click Real-time protection.
2. Clear the real-time protection options you want to turn off, and then click Save changes. If you're
prompted for an administrator password or confirmation, type the password or confirm the action.
How do I know that Windows Defender or Endpoint Protection is

running on my computer?
After you install Windows Defender on your computer, you can close the main window and let Windows Defender
run quietly in the background. Windows Defender will continue running on your computer, monitor it, and help
protect it against threats.
Of course, you'll know that Windows Defender is running whenever it displays notification messages in the
notification area. These notifications alert you to potential threats that Windows Defender has detected.
You'll also receive other alert notifications, for example, if for some reason real-time protection has been turned
off, if you haven't updated your virus and spyware definitions for a number of days, or when upgrades to the
program become available. Windows Defender also briefly displays a notification to let you know that it's
scanning your computer.
TIP
If you don't see the Windows Defender icon in the notification area, click the arrow in the notification area to show hidden
icons, including the Windows Defender icon.
The icon color depends on your computer's current status:

Green indicates that your computer's status is "protected."
Yellow indicates that your computer's status is "potentially unprotected."
Red indicates that your computer's status is "at risk."
How to set up Windows Defender or Endpoint Protection alerts?

When Windows Defender is running on your computer, it automatically alerts you if it detects viruses, spyware, or
other potentially unwanted software. You can also set Windows Defender to alert you if you run software that has
not yet been analyzed, and you can choose to be alerted when software makes changes to your computer.
To set up alerts
1. Click Settings, and then click Real-time protection.
2. Make sure the Turn on real-time protection (recommended) check box is selected.
3. Select the check boxes next to the real-time protections options you want to run, and then click Save
changes. If you're prompted for an administrator password or confirmation, type the password or confirm
the action.
See also
Troubleshooting Windows Defender or Endpoint Protection client
Device Guard management with Configuration
Manager
Introduction
Device Guard is a group of Windows 10 features that are designed to protect PCs against malware and other
untrusted software. It prevents malicious code from running by ensuring that only approved code, that you know,
can be run.
Device Guard encompasses both software and hardware-based security functionality. Windows Defender
Application Control is a software-based security layer that enforces an explicit list of software that is allowed to run
on a PC. On its own, Application Control does not have any hardware or firmware prerequisites. Application
Control policies deployed with Configuration Manager enable a policy on PCs in targeted collections that meet the
minimum Windows version and SKU requirements outlined in this article. Optionally, hypervisor-based protection
of Application Control policies deployed through Configuration Manager can be enabled through Group Policy on
capable hardware.
To learn more about Device Guard, read the Device Guard deployment guide.
NOTE
Beginning with Windows 10, version 1709, configurable code integrity policies are known as Windows Defender Application
Control.
Using Device Guard with Configuration Manager

You can use Configuration Manager to deploy a Windows Defender Application Control policy. This policy lets you
configure the mode in which Device Guard runs on PCs in a collection.
You can configure one of the following modes:
1. Enforcement enabled - Only trusted executables are allowed to run.
2. Audit only - Allow all executables to run, but log untrusted executables that run in the local client event log.
TIP
In this version of Configuration Manager, Device Guard is a pre-release feature. To enable it, see Pre-release features in
What can run when you deploy a Windows Defender Application

Control policy?
Windows Device Guard lets you strongly control what can run on PCs you manage. This feature can be useful for
PCs in high-security departments, where it's vital that unwanted software cannot run.
When you deploy a policy, typically, the following executables can run:
Windows operating system components
Hardware Dev Center drivers (that have Windows Hardware Quality Labs signatures)
Windows Store apps
The Configuration Manager client
All software deployed through Configuration Manager that PCs install after the Windows Defender Application
Control policy is processed.
Updates to windows components from:
Windows Update
Windows Update for Business
Windows Server Update Services
Optionally, software with a good reputation as determined by the Microsoft Intelligent Security Graph
(ISG ). The ISG includes Windows Defender SmartScreen and other Microsoft services. The device must
be running Windows Defender SmartScreen and Windows 10 version 1709 or later for this software to
be trusted.
IMPORTANT
These items do not include any software that is not built-into Windows that automatically updates from the internet or third-
party software updates whether they are installed via any of the update mechanisms mentioned previously, or from the
internet. Only software changes that are deployed though the Configuration Manager client can run.
Before you start

Before you configure or deploy Windows Defender Application Control policies, read the following information:
Device Guard management is a pre-release feature for Configuration Manager, and is subject to change.
To use Device Guard with Configuration Manager, PCs you manage must be running the Windows 10
Enterprise version 1703, or later.
Once a policy is successfully processed on a client PC, Configuration Manager is configured as a Managed
Installer on that client. Software deployed through it, after the policy processes, is automatically trusted.
Software installed by Configuration Manager before the Windows Defender Application Control policy
processes is not automatically trusted.
Client PCs must have connectivity to their Domain Controller in order for a Windows Defender Application
Control policy to be processed successfully.
The default compliance evaluation schedule for Application Control policies, configurable during deployment, is
every one day. If issues in policy processing are observed, it may be beneficial to configure the compliance
evaluation schedule to be shorter, for example every hour. This schedule dictates how often clients reattempt to
process a Windows Defender Application Control policy if a failure occurs.
Regardless of the enforcement mode you select, when you deploy a Windows Defender Application Control
policy, client PCs cannot run HTML applications with the extension .hta.
How to create a Windows Defender Application Control policy

2. In the Assets and Compliance workspace, expand Endpoint Protection, and then click Windows Defender
Application Control.
3. On the Home tab, in the Create group, click Create Application Control policy.
4. On the General page of the Create Application Control policy Wizard, specify the following settings:
Name - Enter a unique name for this Windows Defender Application Control policy.
Description - Optionally, enter a description for the policy that helps you identify it in the Configuration
Manager console.
Enforce a restart of devices so that this policy can be enforced for all processes - After the policy
is processed on a client PC, a restart is scheduled on the client according to the Client Settings for
Computer Restart.
Devices running Windows 10 version 1703 or earlier will always be automatically restarted.
Starting with Windows 10 version 1709, applications currently running on the device will not have
the new Application Control policy applied to them until after a restart. However, applications
launched after the policy applies will honor the new Application Control policy.
Enforcement Mode - Choose one of the following enforcement methods for Device Guard on the client
PC.
Enforcement Enabled - Only allow trusted executables are allowed to run.
Audit Only - Allow all executables to run, but log untrusted executables that run in the local client
event log.
5. On the Inclusions tab of the Create Application Control policy Wizard, chose if you want to Authorize
software that is trusted by the Intelligent Security Graph.
6. Click Add if you want to add trust for specific files or folders on PCs. In the Add Trusted File or Folder dialog
box, you can specify a local file or a folder path to trust. You can also specify a file or folder path on a remote
device on which you have permission to connect. When you add trust for specific files or folders in a Windows
Defender Application Control policy, you can:
Overcome issues with managed installer behaviors
Trust line-of-business apps that cannot be deployed with Configuration Manager
Trust apps that are included in an operating system deployment image.
7. Click Next, to complete the wizard.
IMPORTANT
The inclusion of trusted files or folders is only supported on client PCs running version 1706 or later of the Configuration
Manager client. If any inclusion rules are included in a Windows Defender Application Control policy and the policy is then
deployed to a client PC running an earlier version on the Configuration Manager client, the policy will fail to be applied.
Upgrading these older clients will resolve this issue. Policies that do not include any inclusion rules may still be applied on
older versions of the Configuration Manager client.
How to deploy a Windows Defender Application Control policy

2. In the Assets and Compliance workspace, expand Endpoint Protection, and then click Windows Defender
Application Control.
3. From the list of policies, select the one you want to deploy, and then, on the Home tab, in the Deployment
group, click Deploy Application Control Policy.
4. In the Deploy Application Control policy dialog box, select the collection to which you want to deploy the
policy. Then, configure a schedule for when clients evaluate the policy. Finally, select whether the client can
evaluate the policy outside of any configured maintenance windows.
5. When you are finished, click OK to deploy the policy.
How to monitor a Windows Defender Application Control policy

Use the information in the Monitor compliance settings article to help you monitor that the deployed policy has
been applied to all PCs correctly.
To monitor the processing of a Windows Defender Application Control policy, use the following log file on client
PCs:
%WINDIR%\CCM\Logs\DeviceGuardHandler.log
To verify the specific software being blocked or audited, see the following local client event logs:
1. For blocking and auditing of executable files, use Applications and Services Logs > Microsoft > Windows
> Code Integrity > Operational.
2. For blocking and auditing of Windows Installer and script files, use Applications and Services Logs >
Microsoft > Windows > AppLocker > MSI and Script.
Security and privacy information for Device Guard

In this pre-release version, do not deploy Windows Defender Application Control policies with the enforcement
mode Audit Only in a production environment. This mode is intended to help you test the capability in a lab
setting only.
Devices that have a policy deployed to them in Audit Only or Enforcement Enabled mode that have not
been restarted to enforce the policy, are vulnerable to untrusted software being installed. In this situation, the
software might continue to be allowed to run even if the device restarts, or receives a policy in Enforcement
Enabled mode.
To ensure that the Windows Defender Application Control policy is effective, prepare the device in a lab
environment. Then, deploy the Enforcement Enabled policy, and finally, restart the device before you give the
device to an end user.
Do not deploy a policy with Enforcement Enabled, and then later deploy a policy with Audit Only to the
same device. This configuration might result in untrusted software being allowed to run.
When you use Configuration Manager to enable Windows Defender Application Control on client PCs, the
policy does not prevent users with local administrator rights from circumventing the Application Control
policies or otherwise executing untrusted software.
The only way to prevent users with local administrator rights from disabling Application Control is to deploy a
signed binary policy. This deployment is possible through Group Policy but not currently supported in
Setting up Configuration Manager as a Managed Installer on client PCs uses AppLocker policy. AppLocker is
only used to identify Managed Installers and all enforcement happens with Application.
Deploy profiles in System Center Configuration
Manager

Profiles must be deployed to one or more collections before they can be used.
Use the Deploy Wi-Fi Profile, Deploy VPN Profile, Deploy Exchange ActiveSync Profile, or Deploy
Certificate Profile dialog box to configure the deployment of these profiles. As part of the configuration, you
define the collection to which the profile is to be deployed and specify how often the profile is evaluated for
compliance.
NOTE
If you deploy multiple company resource access profiles to the same user, the following behavior occurs:
If a conflicting setting contains an optional value, it will not be sent to the device.
If a conflicting setting contains a mandatory value, the default value will be sent to the device. If there is no
default value, the entire company resource access profile will fail. For example, if you deploy two email profiles to
the same user and the values specified for Exchange ActiveSync host or Email address are different, then both
email profiles will fail as they are mandatory settings.
Before you can deploy certificate profiles, you must first configure the infrastructure and create certificate profiles.
For more information, see the following topics:
Configuring certificate infrastructure in System Center Configuration Manager
How to create certificate profiles in System Center Configuration Manager
IMPORTANT
When a VPN profile deployment is removed, it is not removed from client devices. If you want to remove the profile from
devices, you must manually remove it.
Deploying profiles
1. In the System Center Configuration Manager console, choose Assets and Compliance.
2. In the Assets and Compliance workspace, expand Compliance Settings, expand Company Resource
Access, and then choose the appropriate profile type, such as Wi-Fi Profiles.
3. In the list of profiles, select the profile that you want to deploy, and then in the Home tab, in the
Deployment group, click Deploy.
4. In the deploy profile dialog box, specify the following information:
Collection - Click Browse to select the collection where you want to deploy the profile.
Generate an alert - Enable this option to configure an alert that is generated if the profile
compliance is less than a specified percentage by a specified date and time. You can also specify
whether you want an alert to be sent to System Center Operations Manager.
Random delay (hours): (Only for certificate profiles that contain Simple Certificate Enrollment
Protocol settings) Specifies a delay window to avoid excessive processing on the Network Device
Enrollment Service. The default value is 64 hours.
Specify the compliance evaluation schedule for this profile - Specify the schedule by which
the deployed profile is evaluated on client computers. The schedule can be either a simple or a
custom schedule.
NOTE
The profile is evaluated by client computers when the user logs on.
5. Click OK to close the dialog box and to create the deployment.

See also
How to monitor Wi-Fi, VPN, and email profiles in System Center Configuration Manager
How to monitor certificate profiles in System Center Configuration Manager
Windows Hello for Business settings in System Center

System Center Configuration Manager lets you integrate with Windows Hello for Business (formerly Microsoft
Passport for Windows), which is an alternative sign-in method for Windows 10 devices. Hello for Business uses
Active Directory, or an Azure Active Directory account to replace a password, smart card, or virtual smart card.
Hello for Business lets you use a user gesture to log in, instead of a password. A user gesture might be a simple
PIN, biometric authentication, or an external device such as a fingerprint reader.
For more information, see Windows Hello for Business.
NOTE
Configuration Manager integrates with Windows Hello for Business in two ways:
You can use Configuration Manager to control which gestures users can and cannot use to sign in.
You can store authentication certificates in the Windows Hello for Business key storage provider (KSP ). For
more information, see Certificate profiles.
You can deploy Windows Hello for Business policies to domain-joined Windows 10 devices that run the
Configuration Manager client. This configuration is described in the Configure Windows Hello for Business
on domain-joined Windows 10 devices section. When you use Configuration Manager with Microsoft
Intune (hybrid), you can configure these settings on Windows 10, and Windows 10 Mobile devices. For
more information, see Configure Windows Hello for Business settings (hybrid).
Configure Windows Hello for Business on domain-joined Windows 10

devices
You can control Windows Hello for Business settings on domain-joined Windows 10 devices by creating and
deploying a Windows Hello for Business Profile. This approach is recommended.
If you are using certificate-based authentication, you must also deploy a certificate profile, as described in
Configure a certificate profile. If you are using key-based authentication, you do not need to deploy a certificate
profile.
Configure a Windows Hello for Business profile

In the Configuration Manager console, under Company Resource Access, right-click Windows Hello for
Business Profiles and choose New to start the profile wizard. Provide the settings requested by the wizard,
review and confirm the settings on the last page, and click Close. Here's an example of what your settings might
look like:
Configure a certificate profile to enroll the Windows Hello for Business
enrollment certificate in Configuration Manager
If you want to use Windows Hello for Business certificate-based logon, configure the following components:
A Configuration Manager certificate profile.
In the certificate profile, select a template that uses Smart Card logon EKU.
If you intend to store certificate profiles in the Windows Hello for Business key container, and the certificate
profile uses the Smart Card Logon EKU, you must configure the following permissions for key registration
to ensure the certificate is validated correctly. You must first have created the Key Admins group and
added all Configuration Manager management point computers as members to this group.
Some configurations might not need you to configure permissions, or might require further configurations. Refer
to the following table for more help:
CONFIGURATION MANAGER CONFIGURATION MANAGER CONFIGURATION MANAGER

WINDOWS CLIENT VERSION 1602 OR 1606 1610 1702 OR LATER
CONFIGURATION MANAGER CONFIGURATION MANAGER CONFIGURATION MANAGER
WINDOWS CLIENT VERSION 1602 OR 1606 1610 1702 OR LATER
Windows 10 Anniversary No hotfix required No hotfix required (see Configure permissions

Update Warning)
No permissions required Apply Windows Server 2016
No permissions required schema to Active Directory
No Windows schema update
required No Windows schema update
required
Windows 10 Creators Not supported Install this hotfix Configure permissions

Update or later
Configure permissions Apply Windows Server 2016
schema to Active Directory
Apply Windows Server 2016
schema to Active Directory
WARNING
While the hotfix is not required for Configuration Manager 1610 and Windows 10 Anniversary Update, it may be installed. If
the hotfix is installed, you need to configure permissions and apply Windows Server 2016 schema to Active Directory.
To configure permissions
1. Sign in to a domain controller or management workstations with Domain Admin, or equivalent credentials.
2. Open Active Directory Users and Computers.
3. From the navigation pane, right-click your domain name, and then click Properties.
4. On the Security tab of the Properties dialog box, click Advanced. If the Security tab is not displayed, turn on
Advanced Features from the View menu of Active Directory Users and Computers.
5. Click Add.
6. In the Permission Entry for dialog box, click Select a principal.
7. In the Select User, Computer, Service Account, or Group dialog box, type Key Admins in the Enter the
object name to select text box. Click OK.
8. From the Applies to list, select Descendant User objects.
9. Scroll to the bottom of the page and click Clear all.
10. In the Properties section, select Read msDS -KeyCredentialLink.
11. Click OK three times to complete the task.
Next steps
For more information, see Certificate profiles.
Add Terms and Conditions with System Center

You can deploy System Center Configuration Manager terms and conditions to user groups to explain how device
enrollment, access to work resources, and using the Company Portal affect devices and users. Users must accept
the terms and conditions before they can use the Company Portal to enroll and access their work.
Working with terms and conditions policies in System Center

You can create and deploy multiple set of terms and conditions. You can also produce versions of the same terms
and conditions in different languages and then deploy these to their appropriate groups.
To create a terms and conditions

1. In the Configuration Manager console, go Assets and Compliance > Overview > Compliance Settings
> Terms and Conditions.
2. Click Create Terms and Conditions to create new terms and conditions.
3. On the General page, specify the following information:
Name - A unique name displayed in the Configuration Manager console
Description - Details that help you identify the terms and conditions in the Configuration Manager
console
And then click Next.
4. On the Terms page, specify the following information:
Title - The title displayed to users in the Company Portal
Text for terms - The terms and conditions displayed to users in the Company Portal
Text to explain what it means if the user accepts - Label users see regarding acceptance.
Example: "I agree to the terms and conditions."
And then click Next.
5. Complete the wizard to create the new terms and conditions. The new terms and conditions are displayed in
the Terms and Conditions node of the Assets and Compliance workspace.
To deploy a terms and conditions

1. In the Configuration Manager console, go to Assets and Compliance > Overview > Compliance
Settings > Terms and Conditions.
2. In the Terms and Conditions list, select the item you want to deploy, and then click Deploy.
3. Browse to the Collection you want to deploy the terms and conditions to, and then click OK.
When targeted devices access the Company Portal app, it displays the terms and conditions you deployed.
Users must accept these terms before they can gain access to company resources.
NOTE
If you deploy a set of terms to multiple user collections to which a user belongs, that user will see multiple copies of
identical terms when opening Company Portal. Since users can only accept or decline all terms, there is no danger of
being in an ambiguous acceptance state where the user has both accepted and rejected the terms. The Terms and
Conditions acceptance report will include only one row for each set of terms for each user, so there is no error in the
report.
To monitor terms and conditions

1. You can monitor terms and conditions deployments in the Configuration Manager console. In the
Configuration Manager console, go to Monitoring > Overview > Deployments.
2. Select the terms and conditions deployment. from the list of deployments
The summary area will show the following statistics:
Compliant - Users have accepted the latest version of the terms and conditions
Error
Noncompliant - Users have accepted a version of the terms and conditions, but not the latest
version
Unknown - Users have never accepted the terms and conditions, including those without an enrolled
device
3. Select a terms and conditions deployment and then select Run Summarization to see individual users'
Deployment Status.
On the Deployment Status screen you can select the status tabs to view users with that status. You can click
Run Summarization to update the data throughout the hierarchy. Click Refresh to update data in the
console
To view a terms and conditions report

1. In the Configuration Manager console, go Monitoring > Overview > Reporting > Report.
2. Select Terms and conditions acceptance and then click Run. The Terms and conditions acceptance report
opens. The report displays each user to whom terms and conditions have been deployed. Fields include:
Name of terms and conditions
User name
Accepted version
Date accepted
Accepted latest
Updates and version control for terms and conditions

When you edit existing terms and conditions, you can choose the behavior when you deploy the terms and
conditions. Use the following procedure to help you update existing terms and conditions.
How to work with multiple versions of terms and conditions
1. In the Configuration Manager console, go Assets and Compliance > Overview > Compliance Settings
> Terms and Conditions.
2. Select the terms and conditions instance that you want to edit, and double-click to open it.
3. You can modify content on the General or the Terms page to make any required edits.
4. On the Terms page you can then specify whether this new version requires all users to accept the terms and
conditions, or if only new users will see the new version.
We recommend you increase the version number and require acceptance any time you make significant
changes to your terms and conditions. Keep the current version number if you are fixing typos or changing
formatting, for example.
< P R E V IO U S N E X T STE P
STE P >
Monitor Email, Wi-Fi and VPN profiles in System

After you have deployed System Center Configuration Manager Email, Wi-Fi or VPN profiles to users in your
hierarchy, you can use the following procedures to monitor the compliance status of the profile:
How to View Compliance Results in the Configuration Manager Console
How to View Compliance Results by Using Reports
How to View Compliance Results in the Configuration Manager

Console
Use this procedure to view details about the compliance of deployed profiles in the System Center Configuration
Manager console.
To view compliance results in the Configuration Manager console
1. In the System Center Configuration Manager console, click Monitoring.
2. In the Monitoring workspace, click Deployments.
3. In the Deployments list, select the profile deployment for which you want to review compliance
information.
4. You can review summary information about the compliance of the profile deployment on the main page. To
view more detailed information, select the profile deployment, and then, on the Home tab, in the
Deployment group, click View Status to open the Deployment Status page.
The Deployment Status page contains the following tabs:
Compliant: Displays the compliance of the profile that is based on the number of affected assets.
You can double-click a rule to create a temporary node under the Users node in the Assets and
Compliance workspace, which contains all users that are compliant with this profile. The Asset
Details pane displays the users that are compliant with the profile. Double-click a user in the list to
display additional information.
IMPORTANT
A profile is not evaluated if it is not applicable on a client device; however, it is returned as compliant.
Error: Displays a list of all errors for the selected profile deployment that is based on the number of
affected assets. You can double-click a rule to create a temporary node under the Users node of the
Assets and Compliance workspace, which contains all users that generated errors with this profile.
When you select a user, the Asset Details pane displays the users that are affected by the selected
issue. Double-click a user in the list to display additional information about the issue.
Non-Compliant: Displays a list of all noncompliant rules within the profile that is based on the
number of affected assets. You can double-click a rule to create a temporary node under the Users
node of the Assets and Compliance workspace, which contains all users that are not compliant with
this profile. When you select a user, the Asset Details pane displays the users that are affected by the
selected issue. Double-click a user in the list to display further information about the issue.
Unknown: Displays a list of all users that did not report compliance for the selected profile
deployment together with the current client status of the devices.
5. On the Deployment Status page, you can review detailed information about the compliance of the
deployed profile. A temporary node is created under the Deployments node that helps you find this
information again quickly.
How to View Compliance Results by Using Reports

Compliance settings, which include profiles in System Center Configuration Manager, also includes a number of
built-in reports that let you monitor information about profiles. These reports have the report category of
Compliance and Settings Management.
IMPORTANT
You must use a wildcard (%) character when you use the parameters Device filter and User filter in the compliance settings
reports.
For more information about how to configure reporting in System Center Configuration Manager, see Reporting
in System Center Configuration Manager.
How to monitor certificate profiles in System Center
View Compliance Results in the Configuration Manager Console

To monitor SCEP certificate compliance do not use the console, rather, use reports.
1. In the Configuration Manager console, choose Monitoring> Deployments.
2. Select the certificate profile deployment of interest.
3. Review summary certificate compliance information on the main page. For more detailed information,
select the certificate profile, and then on the Home tab, in the Deployment group, choose View Status to
open the Deployment Status page.
The Deployment Status page contains the following tabs:
Compliant: Displays the compliance of the certificate profile based on the number of assets that are
affected. You can double-click a rule to create a temporary node under the Users node in the Assets
and Compliance workspace. This node contains all users that are compliant with the certificate
profile. The Asset Details pane also displays the users that are compliant with this profile. Double-
click a user in the list for more information.
IMPORTANT
A certificate profile is not evaluated if it is not applicable on a client device. However, it is returned as
compliant.
Error: Displays a list of all errors for the selected certificate profile deployment based on the number
of assets that are affected. You can double-click a rule to create a temporary node under the Users
node of the Assets and Compliance workspace. This node contains all users that generated errors
with this profile. When you select a user, the Asset Details pane displays the users that are affected
by the selected issue. Double-click a user in the list to display for more information.
Non-Compliant: Displays a list of all noncompliant rules within the certificate profile based on the
number of assets that are affected. You can double-click a rule to create a temporary node under the
Users node of the Assets and Compliance workspace. This node contains all users that are not
compliant with this profile. When you select a user, the Asset Details pane displays the users that are
affected by the selected issue. Double-click a user in the list to display further information about the
issue.
Unknown: Displays a list of all users that did not report compliance for the selected certificate
profile deployment together with the current client status of the devices.
4. On the Deployment Status page, review detailed information about the compliance of the deployed
certificate profile. A temporary node is created under the Deployments node that helps you find this
information again quickly.
The enrollment status of the certificate is displayed as a number. Use the following table to understand what
each number means:
ENROLLMENT STATUS DESCRIPTION
0x00000001 The enrollment succeeded, and the certificate has been

issued.
0x00000002 The request has been submitted and the enrollment is

pending, or the request has been issued out of band.
0x00000004 Enrollment must be deferred.
0x00000010 An error occurred.
0x00000020 The enrollment status is unknown.
0x00000040 The status information has been skipped. This can occur if
a HYPERLINK
"http://msdn.microsoft.com/windows/ms721572" \l
"_security_certification_authority_gly" certification
authority is not valid or has not been selected for
monitoring.
0x00000100 Enrollment has been denied.
View Compliance Results by Using Reports

Compliance settings in System Center Configuration Manager include built-in reports that you can use to monitor
information about certificate profiles. These reports have the report category of Compliance and Settings
Management.
IMPORTANT
You must use a wildcard (%) character when you use the parameters Device filter and User filter in the reports for
compliance settings.
To monitor SCEP certificate compliance use these certificate reports under the report node Company Resource
Access:
Certificate issuance history
List of assets with certificates nearing expiry
List of assets by certificate issuance status
For more information about how to configure reporting in System Center Configuration Manager, see Reporting
in System Center Configuration Manager.
How to monitor Endpoint Protection status

You can monitor Endpoint Protection in your Microsoft System Center Configuration Manager hierarchy by using
the Endpoint Protection Status node under Security in the Monitoring workspace, the Endpoint Protection
node in the Assets and Compliance workspace, and by using reports.
How to Monitor Endpoint Protection by Using the Endpoint Protection

Status Node
1. In the Configuration Manager console, click Monitoring.
2. In the Monitoring workspace, expand Security and then click Endpoint Protection Status.
3. In the Collection list, select the collection for which you want to view status information.
IMPORTANT
Collections are available for selection in the following cases:
When you select View this collection in the Endpoint Protection dashboard on the Alerts tab of the
<collection name>Properties dialog box.
When you deploy an Endpoint Protection antimalware policy to the collection.
When you enable and deploy Endpoint Protection client settings to the collection.
4. Review the information that is displayed in the Security State and Operational State sections. You can
click any status link to create a temporary collection in the Devices node in the Assets and Compliance
workspace. The temporary collection contains the computers with the selected status.
IMPORTANT
Information that is displayed in the Endpoint Protection Status node is based on the last data that was
summarized from the Configuration Manager database and might not be current. If you want to retrieve the latest
data, on the Home tab, click Run Summarization, or click Schedule Summarization to adjust the summarization
interval.
How to Monitor Endpoint Protection in the Assets and Compliance

Workspace
2. In the Assets and Compliance workspace, perform one of the following actions:
Click Devices. In the Devices list, select a computer, and then click the Malware Detail tab.
Click Device Collections. In the Device Collections list, select the collection that contains the
computer you want to monitor and then, on the Home tab, in the Collection group, click Show
Members.
3. In the <collection name> list, select a computer, and then click the Malware Detail tab.
How to Monitor Endpoint Protection by Using Reports

Use the following reports to help you view information about Endpoint Protection in your hierarchy. You can also
use these reports to help troubleshoot any Endpoint Protection problems. For more information about how to
configure reporting in Configuration Manager, see Reporting in System Center Configuration Manager and Log
files in System Center Configuration Manager. The Endpoint Protection reports are in the Endpoint Protection
folder.
REPORT NAME DESCRIPTION
Antimalware Activity Report Displays an overview of antimalware activity for a specified

collection.
Infected Computers Displays a list of computers on which a specified threat is

detected.
Top Users By Threats Displays a list of users with the most number of detected
threats.
User Threat List Displays a list of threats that were found for a specified user
account.
Malware Alert Levels

Use the following table to identify the different Endpoint Protection alert levels that might be displayed in reports,
or in the Configuration Manager console.
ALERT LEVEL DESCRIPTION
Failed Endpoint Protection failed to remediate the malware. Check

your logs for details of the error.
Note: For a list of Configuration Manager and Endpoint

Protection log files, see the "Endpoint Protection" section in
the Log files in System Center Configuration Manager topic.
Removed Endpoint Protection successfully removed the malware.
Quarantined Endpoint Protection moved the malware to a secure location

and prevented it from running until you remove it or allow it
to run.
Cleaned The malware was cleaned from the infected file.
Allowed An administrative user selected to allow the software that

contains the malware to run.
No Action Endpoint Protection took no action on the malware. This

might occur if the computer is restarted after malware is
detected and the malware is no longer detected; for instance,
if a mapped network drive on which malware is detected is
not reconnected when the computer restarts.
ALERT LEVEL DESCRIPTION
Blocked Endpoint Protection blocked the malware from running. This

might occur if a process on the computer is found to contain
malware.

System Center Configuration Manager Protect Data and Infrastructure PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

System Center Configuration Manager Protect Data and Infrastructure PDF

Uploaded by

Copyright:

Available Formats

Table of Contents

Understand and explore

Applies to: System Center Configuration Manager (Current Branch)

Applies to: System Center Configuration Manager (Current Branch)

Considerations before creating a backup

Backup maintenance task

Archive the backup snapshot

Using the AfterBackup.bat file

Supplemental backup tasks

User state migration data

About the SMS Writer service

Applies to: System Center Configuration Manager (Current Branch)

Considerations before recovering a site

Determine your recovery options

Site server recovery options

Site recovery procedures

Recover a secondary site

Applies to: System Center Configuration Manager (Current Branch)

Recover a central administration site unattended

Key name: SQLSSBPort

Recover a Primary Site Unattended

Key name: SDKServer

Key name: SQLSSBPort

Applies to: System Center Configuration Manager (Current Branch)

High availability for site system roles

High availability for clients

Applies to: System Center Configuration Manager (Current Branch)

To configure deployment verification for a site

Applies to: System Center Configuration Manager (Current Branch)

Dependencies External to Configuration Manager

Manager approval for certificate requests is supported.

The PowerShell script must be run locally on the NDES server.

If you have a firewall between the server that is running the

If the Network Device Enrollment Service is configured to

For more information about the Network Device Enrollment

For more information, see PKI certificate requirements for

Configuration Manager Dependencies

For more information about system requirements for this site

The certificate registration point must not be installed on the

For user certificates: Active Directory User Discovery

For computer certificates: Active Directory System Discovery

To view and manage alerts and reports for certificate profiles:

To create and manage certificate profiles: Author Policy,

To manage Wi-Fi, certificate and VPN profile deployments:

To manage all configuration policies: Create, Delete, Modify,

To run queries related to certificate profiles: Read permission

To view certificate profiles information in the System Center

To view status messages for certificate profiles: Read

To create and modify the Trusted CA certificate profile: Author

To create and manage VPN profiles: Author Policy, Modify

To create and manage Wi-Fi profiles: Author Policy, Modify

The Company Resource Access Manager security role

Applies to: System Center Configuration Manager (Current Branch)

Default Security Permissions and Considerations

Adding Read and Enroll Permissions for Users and Computers

Applies to: System Center Configuration Manager (Current Branch)

Security Best Practices for Certificate Profiles

SECURITY BEST PRACTICE MORE INFORMATION

Note: If you do enable usage-based configuration, this

Privacy Information for Certificate Profiles

Applies to: System Center Configuration Manager (Current Branch)

Managing Windows Firewall with Endpoint Protection

Windows Defender Advanced Threat Protection