Professional Documents
Culture Documents
IMPORTANT
Configuration Manager does not support DPM back up for a SQL Server cluster that uses a named instance, but does
support DPM back up on a SQL Server cluster that uses the default instance of SQL Server.
After you restore the site database, follow the steps in Setup to recover the site. Select the Use a site database
that has been manually recovered recovery option to use the site database that you recovered with Data
Protection Manager.
IMPORTANT
To help prevent tampering of the backup files, store the files in a secure location. The most secure backup path is to a
local drive, so you can set NTFS file system permissions on the folder. Configuration Manager does not encrypt the
backup data that is stored in the backup path.
Local drive on site server for site data and database: Specifies that the backup files for the site
and site database are stored in the specified path on the local disk drive of the site server. You must
create the local folder before the backup task runs. The Local System account on the site server must
have Write NTFS file system permissions to the local folder for the site server backup. The Local
System account on the computer that is running SQL Server must have Write NTFS permissions to
the folder for the site database backup.
Network path (UNC name) for site data and database: Specifies that the backup files for the site
and site database are stored in the specified UNC path. You must create the share before the backup
task runs. The computer account of the site server and the computer account of the SQL Server, if
SQL Server is installed on another computer, must have Write NTFS and share permissions to the
shared network folder.
Local drives on site server and SQL Server: Specifies that the backup files for the site are stored in
the specified path on the local drive of the site server, and the backup files for the site database are
stored in the specified path on the local drive of the site database server. You must create the local
folders before the backup task runs. The computer account of the site server must have Write NTFS
permissions to the folder that you create on the site server. The computer account of the SQL Server
must have Write NTFS permissions to the folder that you create on the site database server. This
option is available only when the site database is not installed on the site server.
NOTE
The option to browse to the backup destination is only available when you specify the UNC path of the backup
destination.
The folder name or share name that is used for the backup destination does not support the use of Unicode
characters.
6. Configure a schedule for the site backup task. As a best practice, consider a backup schedule that is outside
active working hours. If you have a hierarchy, consider a schedule that runs at least two times a week to
ensure maximum data retention in the event of site failure.
When you run the Configuration Manager console on the same site server that you are configuring for
backup, the Backup Site Server maintenance task uses local time for the schedule. When the Configuration
Manager console is run from a computer remote from the site that you are configuring for backup, the
Backup Site Server maintenance task uses UTC for the schedule.
7. Choose whether to create an alert if the site backup task fails, click OK, and then click OK. When selected,
Configuration Manager creates a critical alert for the backup failure that you can review in the Alerts node
in the Monitoring workspace.
Next, verify that the Backup Site Server maintenance task is running, to ensure that backups are being
created.
To verify that the Backup Site Server maintenance task is running
Verify that the Site Backup maintenance task is running by reviewing any of the following:
Check the timestamp on the files in the backup destination folder that the task created. Verify that the
timestamp has been updated with a time that matches the time when the task was last scheduled to run.
In the Component Status node in the Monitoring workspace, review the status messages for
SMS_SITE_BACKUP. When site backup is completed successfully, you see message ID 5035, which indicates
that the site backup was completed without any errors.
When the Backup Site Server maintenance task is configured to create an alert if backup fails, you can check
the Alerts node in the Monitoring workspace for backup failures.
In <ConfigMgrInstallationFolder>\Logs, review Smsbkup.log for warnings and errors. When site backup is
completed successfully, you see Backup completed with a timestamp and message ID STATMSG: ID=5035 .
TIP
When the backup maintenance task fails, you can restart the backup task by stopping and restarting the
SMS_SITE_BACKUP service.
TIP
To create the AfterBackup.bat file to archive your site server backup files, you must use a copy command tool, like Robocopy,
in the batch file. For example, you could create the AfterBackup.bat file, and on the first line, you could add something like:
Robocopy E:\ConfigMgr_Backup \\ServerName\ShareName\ConfigMgr_Backup /MIR
Although the intended use of the AfterBackup.bat is to archive backup snapshots, you can create an
AfterBackup.bat file to perform additional tasks at the end of every backup operation.
IMPORTANT
When Configuration Manager updates to a newer version, the predefined reports might be overwritten by new reports. If
you modify a predefined report, back up the report, and then restore it in Reporting Services.
For more information about backing up your custom reports in Reporting Services, see Backup and Restore
Operations for a Reporting Services Installation in the SQL Server 2014 Books Online.
Back up content files
The content library in Configuration Manager is the location where all content files are stored for software updates,
applications, operating system deployment, and so on. The content library is located on the site server and on each
distribution point. The Backup Site Server maintenance task does not include a backup for the content library or
the package source files. When a site server fails, the information about the content library files is restored to the
site database, but you must restore the content library and package source files on the site server.
Content library: The content library must be restored before you can redistribute content to distribution
points. When you start content redistribution, Configuration Manager copies the files from the content
library on the site server to the distribution points. The content library for the site server is in the
SCCMContentLib folder, which is typically located on the drive with the most free disk space at the time
when the site was installed.
Package source files: The package source files must be restored before you can update content on
distribution points. When you start a content update, Configuration Manager copies new or modified files
from the package source to the content library, which in turn copies the files to associated distribution
points. You can run the following query in SQL Server to find the package source location for all packages
and applications: SELECT * FROM v_Package . You can identify the package source site by looking at the first
three characters of the package ID. For example, if the package ID is CEN00001, the site code for the source
site is CEN. When you restore the package source files, they must be restored to the same location where
they were before the failure.
Verify that you include both the content library and package source locations in your file system backup for
the site server.
Back up custom software updates
System Center Updates Publisher 2011 is a stand-alone tool that lets you publish custom software updates to
Windows Server Update Services (WSUS ), synchronize the software updates to Configuration Manager, assess
software updates compliance, and deploy the custom software updates to clients. Updates Publisher uses a local
database for its software update repository. When you use Updates Publisher to manage custom software updates,
determine whether you should include the Updates Publisher database in your backup plan. For more information
about Updates Publisher, see System Center Updates Publisher 2011 in the System Center TechCenter Library.
Use the following procedure to back up the Updates Publisher database.
To back up the Updates Publisher 2011 database
1. On the computer that runs Updates Publisher, browse to the Updates Publisher database file (Scupdb.sdf ) in
%USERPROFILE%\AppData\Local\Microsoft\System Center Updates Publisher 2011\5.00.1727.0000\.
There is a different database file for each user that runs Updates Publisher.
2. Copy the database file to your backup destination. For example, if your backup destination is
E:\ConfigMgr_Backup, you could copy the Updates Publisher database file to
E:\ConfigMgr_Backup\SCUP2011.
TIP
When there is more than one database file on a computer, consider storing the file in a subfolder that indicates the
user profile associated with the database file. For example, you could have one database file in
E:\ConfigMgr_Backup\SCUP2011\User1 and another database file in E:\ConfigMgr_Backup\SCUP2011\User2.
Next steps
After you create a backup, practice site recovery with that backup. This can help you become familiar with the
recovery process before you need to rely on it and can help confirm the backup was successful for its intended
purpose.
Recover a Configuration Manager site
4/30/2018 • 18 min to read • Edit Online
You must use the same version and edition of SQL Server: For example, restoring a database that ran on SQL
Server 2014 to SQL Server 2016 is not supported. Similarly, restoring a site database that ran on a Standard
edition of SQL Server 2016 to an Enterprise edition of SQL Server 2016 is not supported.
SQL Server must not be set to single-user mode.
Ensure the .MDF and .LDF files are valid. When you recover a site, there is no check for the state of the files you
are restoring.
If you use a SQL Server Always On availability group to host the site database: Modify your recovery plans
as described in Prepare to use SQL Server Always On.
When you use database replicas: After you restore a site database that was configured for database replicas,
before you can use the database replicas you must reconfigure each database replica, recreating both the
publications and subscriptions.
NOTE
When Setup detects an existing Configuration Manager site on the server, you can start a site recovery, but the recovery
options for the site server are limited. For example, if you run Setup on an existing site server, when you choose recovery, you
can recover the site database server, but the option to recover the site server is disabled.
NOTE
The recovery fails if you select to restore the site database by using a backup set, but the site database already exists.
Create a new database for this site: Use this option when you do not have a backup of the Configuration
Manager site database. When you have a hierarchy, a new site database is created, and the data is recovered
by using replicated data from the central administration site for a primary site, or a reference primary site
for a central administration site. This option is not available when you are recovering a stand-alone primary
site or a central administration site that does not have primary sites.
Use a site database that has been manually recovered: Use this option when you have already
recovered the Configuration Manager site database but must complete the recovery process.
Configuration Manager can recover the site database from the Configuration Manager backup
maintenance task or from a site database backup that you perform by using DPM or another process.
After you restore the site database by using a method outside Configuration Manager, you must run
Setup and select this option to complete the site database recovery.
NOTE
When you use DPM to back up your site database, use the DPM procedures to restore the site database to a
specified location before you continue the restore process in Configuration Manager. For more information about
DPM, see the on TechNet.
Data Protection Manager Documentation Library
When you have a hierarchy, the changes that were made to the site database after the last site database
backup are retrieved from the central administration site for a primary site, or from a reference primary
site for a central administration site. When you recover the site database for a stand-alone primary site,
you lose site changes after the last backup.
Skip database recovery: Use this option when no data loss has occurred on the Configuration Manager
site database server. This option is only valid when the site database is on a different computer than the site
server that you are recovering.
SQL Server change tracking retention period
Change tracking is enabled for the site database in SQL Server. Change tracking lets Configuration Manager query
for information about the changes that have been made to database tables after a previous point in time. The
retention period specifies how long change tracking information is retained. By default, the site database is
configured to have a retention period of 5 days. When you recover a site database, the recovery process proceeds
differently if your backup is inside or outside the retention period. For example, if your site database server fails,
and your last backup is 7 days old, it is outside the retention period.
For more information about SQL Server change tracking internals, see the following blogs from the SQL Server
team: Change Tracking Cleanup - part 1 and Change Tracking Cleanup - part 2.
Reinitialization of site or global data
The process to reinitialize site or global data replaces existing data in the site database with data from another site
database. For example, when site ABC reinitializes data from site XYZ, the following steps occur:
The data is copied from site XYZ to site ABC.
The existing data for site XYZ is removed from the site database on site ABC.
The copied data from site XYZ is inserted into the site database for site ABC.
Example scenario 1
The primary site reinitializes the global data from the central administration site: The recovery process
removes the existing global data for the primary site in the primary site database and replaces the data with the
global data copied from the central administration site.
Example scenario 2
The central administration site reinitializes the site data from a primary site: The recovery process removes
the existing site data for that primary site in the central administration site database and replaces the data with the
site data copied from the primary site. The site data for other primary sites is not affected.
Site database recovery scenarios
After a site database is restored from a backup, the Configuration Manager attempts to restore the changes in site
and global data after the last database backup. The following describe the actions that Configuration Manager
starts after a site database is restored from backup.
Recovered site is a central administration site:
Database backup within change tracking retention period
Global data: The changes in global data after the backup are replicated from all primary sites.
Site data: The changes in site data after the backup are replicated from all primary sites.
Database backup older than change tracking retention period
Global data: The central administration site reinitializes the global data from the reference primary site
if you specify it. Then all other primary sites reinitialize the global data from the central administration
site. If no reference site is specified, all primary sites reinitialize the global data from the central
administration site (the data that was restored from backup).
Site data: The central administration site reinitializes the site data from each primary site.
Recovered site is a primary site:
Database backup within change tracking retention period
Global data: The changes in global data after the backup are replicated from the central administration
site.
Site data: The central administration site reinitializes the site data from the primary site. Changes after
the backup are lost, but most data are regenerated by clients that send information to the primary site.
Database backup older than change tracking retention period
Global data: The primary site reinitializes the global data from the central administration site.
Site data: The central administration site reinitializes the site data from the primary site. Changes after
the backup are lost, but most data are regenerated by clients that send information to the primary site.
Post-recovery tasks
After you recover your site, there are several post-recovery tasks that you must consider before your site recovery
is completed. Use the following sections to help you complete your site recovery process.
Re -enter user account passwords
After a site server recovery, passwords for the user accounts specified for the site must be re-entered because they
are reset during the site recovery. The accounts are listed on the Finished page of the Setup Wizard after site
recovery is completed and saved to C:\ConfigMgrPostRecoveryActions.html on the recovered site server.
To re-enter user account passwords after site recovery
1. Open the Configuration Manager console and connect to the recovered site.
2. In the Configuration Manager console, click Administration.
3. In the Administration workspace, expand Security, and then click Accounts.
4. For each account in which you re-enter the password, do the following:
a. Select the account from the list of accounts that were identified after site recovery. You can find this
list in C:\ConfigMgrPostRecoveryActions.html on the recovered site server.
b. On the Home tab, in the Properties group, click Properties to open the account properties.
c. On the General tab, click Set, and then re-enter the passwords for the account.
d. Click Verify, select the appropriate data source for the selected user account, and then click Test
connection to verify that the user account can connect to the data source.
e. Click OK to save the password changes, and then click OK.
Re -enter sideloading keys
After a site server recovery, you must re-enter Windows sideloading keys specified for the site because they are
reset during site recovery. After you re-enter the sideloading keys, the count in the Activations used column for
Windows sideloading keys is reset in the Configuration Manager console. For example, let's say before the site
failure you have a Total activations count set to 100 and Activations used is at 90 for the number of the keys
that have been used by devices. After the site recovery, the Total activations column still displays 100, but the
Activations used column incorrectly displays 0. However, after 10 new devices use a sideloading key, there will be
no remaining sideloading keys, and the next device will fail to apply a sideloading key.
Recreate the Microsoft Intune subscription
If you recover a Configuration Manager site server after the site server computer is re-imaged, the Microsoft
Intune subscription is not restored. You must reconnect your subscription after you recover the site. Do not create a
new APN -request, but instead upload the current valid .pem-file that was uploaded the last time iOS management
was configured or renewed. For more information, see Configuring the Microsoft Intune subscription.
Configure SSL for site system roles that use IIS
When you recover site systems that run IIS and that were configured for HTTPS before the failure, you must
reconfigure IIS to use the web server certificate.
Reinstall hotfixes in the recovered site server
After a site recovery, you must reinstall any hotfixes that were applied to the site server. View the list of the
previously installed hotfixes on the Finished page of the Setup Wizard after site recovery. This list is also saved to
C:\ConfigMgrPostRecoveryActions.html on the recovered site server.
Recover custom reports on the computer running Reporting Services
When you have created custom Reporting Services reports, and Reporting Services fails, you can recover the
reports when you have backed up the report server. For more information about restoring your custom reports in
Reporting Services, see Backup and Restore Operations for a Reporting Services Installation in the SQL Server
2008 Books Online.
Recover content files
The site database contains information about where the content files are stored on the site server, but the content
files are not backed up or restored as part of the backup and recovery process. To fully recover content files, you
must restore the content library and package source files to the original location. There are several methods for
recovering your content files, but the easiest method is to restore the files from a file system backup of the site
server.
If you do not have a file system backup for the package source files, you must manually copy or download them as
you did originally when you first created the package. You can run the following query in SQL Server to find the
package source location for all packages and applications: SELECT * FROM v_Package . You can identify the package
source site by looking at the first three characters of the package ID. For example, if the package ID is CEN00001,
the site code for the source site is CEN. When you restore the package source files, they must be restored to the
same location in which they were before the failure.
If you do not have a file system backup that contains the content library, you have the following restore options:
Import a prestaged content file: When you have a Configuration Manager hierarchy, you can create a
prestaged content file with all packages and applications from another location, and then import the
prestaged content file to recover the content library on the site server.
Update content: When you start the update content action for a package or application deployment type,
the content is copied from the package source to the content library. The package source files must be
available in the original location for this action to finish successfully. You must perform this action on each
package and application.
Recover custom software updates on the computer running Updates Publisher
When you have included Updates Publisher database files in your backup plan, you can recover the databases in
case of a failure on the computer on which Updates Publisher runs. For more information about Updates Publisher,
see System Center Updates Publisher 2011 in the System Center TechCenter Library.
Use the following procedure to restore the Updates Publisher database.
To restore the Updates Publisher 2011 database
1. Reinstall Updates Publisher on the recovered computer.
2. Copy the database file (Scupdb.sdf ) from your backup destination to
%USERPROFILE%\AppData\Local\Microsoft\System Center Updates Publisher 2011\5.00.1727.0000\ on
the computer that runs Updates Publisher.
3. When more than one user runs Updates Publisher on the computer, you must copy each database file to the
appropriate user profile location.
User State Migration data
As part of the state migration point site system properties, you specify the folders that store user state migration
data. After you recover a server with a folder that stores user state migration data, you must manually restore the
user state migration data on the server to the same folders that stored the data prior to the failure.
Regenerate the certificates for distribution points
After you restore a site, the distmgr.log might contain the following entry for one or more distribution points:
Failed to decrypt cert PFX data. This entry indicates that the distribution point certificate data cannot be
decrypted by the site. To resolve this, you must regenerate or re-import the certificate for affected distribution
points. This can be done by using the Set-CMDistributionPoint PowerShell cmdlet.
Update Certificates Used for Cloud-Based distribution points
Configuration Manager requires a management certificate that it uses for site server to cloud-based distribution
point communication. After a site recovery, you must update the certificates for cloud-based distribution points.
IMPORTANT
You must have Administrator rights to run setup. When you run setup with the unattended script, start the command
prompt in an Administrator context by using Run as administrator.
The script contains section names, key names, and values. Required section key names vary depending on the
recovery type that you are scripting. The order of the keys within sections, and the order of sections within the file,
is not important. The keys are not case-sensitive. When you provide values for keys, the name of the key must be
followed by an equals sign (=) and the value for the key.
Use the following sections to help you to create your script for unattended site recovery. The tables list the
available setup script keys, their corresponding values, whether they are required, which type of installation they
are used for, and a short description for the key.
NOTE
Starting in Configuration Manager version 1802 the CEIP feature is removed from the product.
Required: Yes
Values: 0 or 1
0 = do not join
1 = join
Details: Specifies whether to join the Customer Experience Improvement Program.
SQLConfigOptions
Key name: SQLServerName
Required: Yes
Values: <SQLServerName>
Details: The name of the server, or clustered instance name, running SQL Server that hosts the site
database. Specify the same server that hosted the site database before the failure.
Key name: DatabaseName
Required: Yes
Values: <SiteDatabaseName> or <InstanceName>\<SiteDatabaseName>
Details: The name of the SQL Server database to create or use to install the central administration
site database. Specify the same database name that was used before the failure.
IMPORTANT
If you do not use the default instance, you must specify the instance name and site database name.
NOTE
You can specify the original path or a new path to use for the Configuration Manager installation.
NOTE
Starting in Configuration Manager version 1802 the CEIP feature is removed from the product.
Required: Yes
Values: 0 or 1
0 = do not join
1 = join
Details: Specifies whether to join the Customer Experience Improvement Program.
SQLConfigOptions
Key name: SQLServerName
Required: Yes
Values: <SQLServerName>
Details: The name of the server, or clustered instance name, running SQL Server that hosts the site
database. Specify the same server that hosted the site database before the failure.
Key name: DatabaseName
Required: Yes
Values: <SiteDatabaseName> or <InstanceName>\<SiteDatabaseName>
Details: The name of the SQL Server database to create or use to install the central administration
site database. Specify the same database name that was used before the failure.
IMPORTANT
If you do not use the default instance, you must specify the instance name and site database name.
Distribution point:
Install multiple distribution points, and deploy content to multiple distribution points. You can configure
overlapping boundary groups for content location to ensure that clients on each subnet can access a deployment
from two or more distribution points. Finally, consider configuring one or more distribution points as fallback
locations for content.
For more information about fallback locations for content, see Manage content and content infrastructure for
System Center Configuration Manager.
Application Catalog web service point and Application Catalog website point:
You can install multiple instances of each site system role, and for best performance, deploy one of each on the
same site system computer.
Each Application Catalog site system role provides the same information as other instances of that site system role
regardless of the location of this site server role in the hierarchy. Therefore, when a client makes a request for the
Application Catalog and you have configured the Default Application Catalog website point device client setting for
Automatically detect, the client can be directed to an available instance. Preference is given to local Application
Catalog site system servers, based on the current network location of the client.
For more information about this client setting and how automatic detection works, see the Computer Agent section
in the About client settings in System Center Configuration Manager topic.
Options for sites and site system roles that are not highly available
Several site systems do not support multiple instances at a site or in the hierarchy. This information can help you
prepare for these site systems going off-line.
Site server (site):
Configuration Manager does not support the installation of the site server for each site on a Windows Server
cluster or NLB cluster.
The following information can help you prepare for when a site server fails or is not operational:
Use the built-in backup task to regularly create a backup of the site. In a test environment, regularly practice
restoring sites from a backup.
Deploy multiple Configuration Manager primary sites in a hierarchy with a central administration site to
create redundancy. If you experience a site failure, consider using Windows group policy or logon scripts to
reassign clients to a functional site.
If you have a hierarchy with a central administration site, you can recover the central administration site or a
child primary site by using the option to recover a site database from another site in your hierarchy.
Secondary sites cannot be restored, and must be reinstalled.
Asset Intelligence synchronization point (hierarchy):
This site system role is not considered mission critical and provides optional functionality in Configuration
Manager. If this site system goes offline, use one of the following options:
Resolve the reason for the site system to be off-line.
Uninstall the role from the current server, and install the role on a new server.
Endpoint Protection point (hierarchy):
This site system role is not considered mission critical and provides optional functionality in Configuration
Manager. If this site system goes offline, use one of the following options:
Resolve the reason for the site system to be off-line.
Uninstall the role from the current server, and install the role on a new server.
Enrollment point (site):
This site system role is not considered mission critical and provides optional functionality in Configuration
Manager. If this site system goes offline, use one of the following options:
Resolve the reason for the site system to be off-line.
Uninstall the role from the current server, and install the role on a new server.
Enrollment proxy point (site):
This site system role is not considered mission critical and provides optional functionality in Configuration
Manager. However, you can install multiple instances of this site system role at a site, and at multiple sites in
the hierarchy. If this site system goes offline, use one of the following options:
Resolve the reason for the site system to be off-line.
Uninstall the role from the current server, and install the role on a new server.
When you have more than one enrollment proxy server in a site, use a DNS alias for the server name. When
you use this configuration, DNS round robin provides some fault tolerance and load balancing for when
users enroll their mobile devices.
Fallback status point (site or hierarchy) :
This site system role is not considered mission critical and provides optional functionality in Configuration
Manager. If this site system goes offline, use one of the following options:
Resolve the reason for the site system to be off-line.
Uninstall the role from the current server, and install the role on a new server. Because clients are assigned
the fallback status point during client installation, you will need to modify existing clients to use the new site
system server.
See also
Supported configurations for System Center Configuration Manager
Settings to manage high-risk deployments for System
Center Configuration Manager
4/30/2018 • 1 min to read • Edit Online
NOTE
High-risk deployments are always limited to custom collections, collections that you create, and the built-in Unknown
Computers collection. When you create a high-risk deployment, you cannot select a built-in collection such as All Systems.
An enterprise issuing certification authority (CA) that is For more information about Active Directory Certificate
running Active Directory Certificate Services (AD CS). Services, see your Windows Server documentation.
To revoke certificates the computer account of the site server For Windows Server 2012: Active Directory Certificate Services
at the top of the hierarchy requires Issue and Manage Overview
Certificates rights for each certificate template used by a
certificate profile in Configuration Manager. Alternatively, For Windows Server 2008: Active Directory Certificate Services
grant Certificate Manager permissions to grant permissions in Windows Server 2008
on all certificate templates used by that CA
Use the PowerShell script to verify, and if needed, install the The instruction file, readme_crp.txt, is located in
prerequisites for the Network Device Enrollment Service ConfigMgrInstallDir\cd.latest\SMSSETUP\POLICYMODULE\X6
(NDES) role service and the Configuration Manager Certificate 4.
Registration Point.
The PowerShell script, Test-NDES-CRP-Prereqs.ps1, is in the
same directory as the instructions.
The Network Device Enrollment Service (NDES) role service for System Center Configuration Manager communicates with the
Active Directory Certificate Services, running on Windows Network Device Enrollment Service in Windows Server 2012
Server 2012 R2. R2 to generate and verify Simple Certificate Enrollment
Protocol (SCEP) requests.
In addition:
If you will issue certificates to users or devices that connect
Port numbers other than TCP 443 (for HTTPS) or TCP 80 (for from the Internet, such as mobile devices that are managed by
HTTP) are not supported for the communication between the Microsoft Intune, those devices must be able to access the
client and the Network Device Enrollment Service. server that runs the Network Device Enrollment Service from
the Internet. For example, install the server in a perimeter
The server that is running the Network Device Enrollment network (also known as a DMZ, demilitarized zone, and
Service must be on a different server from the issuing CA. screened subnet).
If the issuing CA runs Windows Server 2008 R2, this server If the hotfix is not already installed on the issuing CA
requires a hotfix for SCEP renewal requests. computer, install the hotfix. For more information, see article
2483564: Renewal request for an SCEP certificate fails in
Windows Server 2008 R2 if the certificate is managed by using
NDES in the Microsoft Knowledge Base.
A PKI client authentication certificate and exported root CA This certificate authenticates the server that is running the
certificate. Network Device Enrollment Service to System Center
Configuration Manager.
Supported device operating systems. You can deploy certificate profiles to devices that run iOS,
Windows 8.1, Windows RT 8.1, Windows 10, and Android
operating systems.
Certificate registration point site system role Before you can use certificate profiles, you must install the
certificate registration point site system role. This role
communicates with the System Center Configuration Manager
database, the System Center Configuration Manager site
server, and the System Center Configuration Manager Policy
Module.
System Center Configuration Manager Policy Module that is To deploy certificate profiles, you must install the System
installed on the server that is running the Network Device Center Configuration Manager Policy Module. You can find
Enrollment Service role service for Active Directory Certificate this policy module on the System Center Configuration
Services Manager installation media.
Discovery data Values for the certificate subject and the subject alternative
name are supplied by System Center Configuration Manager
and retrieved from information that is collected from
discovery:
Specific security permissions to manage certificate profiles You must have the following security permissions to manage
company resource access settings, such as certificate profiles,
Wi-Fi profiles, and VPN profiles:
Identify and follow any security best practices for the Network See Network Device Enrollment Service Guidance in the Active
Device Enrollment Service, which includes configuring the Directory Certificate Services library on TechNet.
Network Device Enrollment Service website in Internet
Information Services (IIS) to require SSL and ignore client
certificates.
When you configure SCEP certificate profiles, choose the most Identify, implement, and follow any security best practices that
secure options that devices and your infrastructure can have been recommended for your devices and infrastructure.
support.
Manually specify user device affinity instead of allowing users If you click the Allow certificate enrollment only on the
to identify their primary device. In addition, do not enable users primary device option in a SCEP certificate profile, do
usage-based configuration. not consider the information that is collected from users or
from the device to be authoritative. If you deploy SCEP
certificate profiles with this configuration and a trusted
administrative user does not specify user device affinity,
unauthorized users might receive elevated privileges and be
granted certificates for authentication.
Do not add Read and Enroll permissions for users to the Although Configuration Manager supports the additional
certificate templates, or configure the certificate registration check if you add the security permissions of Read and Enroll
point to skip the certificate template check. for users, and you can configure the certificate registration
point to skip this check if authentication is not possible,
neither configuration is a security best practice. For more
information, see Planning for certificate template permissions
for certificate profiles in System Center Configuration
Manager.
NOTE
Certificates that are issued to users or devices might allow access to confidential information.
By default, devices do not evaluate certificate profiles. In addition, you must configure the certificate profiles, and
then deploy them to users or devices.
Before you configure certificate profiles, consider your privacy requirements.
Planning for Endpoint Protection in System Center
Configuration Manager
4/30/2018 • 4 min to read • Edit Online
IMPORTANT
You must be licensed to use Endpoint Protection to manage clients in your Configuration Manager hierarchy.
When you use Endpoint Protection with Configuration Manager, you have the following benefits:
Configure antimalware policies, Windows Firewall settings, and manage Windows Defender Advanced
Threat Protection to selected groups of computers
Use Configuration Manager software updates to download the latest antimalware definition files to keep
client computers up-to-date
Send email notifications, use in-console monitoring, and view reports to keep administrative users informed
when malware is detected on client computers
Windows 10 computers don't require any additional client for endpoint protection management. On Windows 8.1
and earlier computers, Endpoint Protection installs its own client in addition to the Configuration Manager client.
The Endpoint Protection client has the following capabilities:
Malware and spyware detection and remediation
Rootkit detection and remediation
Critical vulnerability assessment and automatic definition and engine updates
Network vulnerability detection through Network Inspection System
Integration with Cloud Protection Service to report malware to Microsoft. When you join this service,
Windows Defender or the Endpoint Protection client can download the latest definitions from the Malware
Protection Center when unidentified malware is detected on a computer.
NOTE
The Endpoint Protection client can be installed on a server that runs Hyper-V and on guest virtual machines with supported
operating systems. To prevent excessive CPU usage, Endpoint Protection actions have a built-in, randomized delay so that
services do not run simultaneously.
In addition, Endpoint Protection in Configuration Manager lets you to manage Windows Firewall settings in the
Configuration Manager console.
Example scenario: Using System Center Endpoint Protection to protect computers from malware in System Center
Configuration Manager shows how you might configure and manage Endpoint Protection and the Windows
Firewall.
Managing Malware with Endpoint Protection
Endpoint Protection in Configuration Manager allows you to create antimalware policies that contain settings for
Endpoint Protection client configurations. You can then deploy these antimalware policies to client computers and
monitor them in the Endpoint Protection Status node in the Monitoring workspace, or by using Configuration
Manager reports.
Additional information:
Create and deploy antimalware policies for Endpoint Protection in System Center Configuration Manager -
Create, deploy, and monitor antimalware policies with a list of the settings that you can configure
Monitor Endpoint Protection in System Center Configuration Manager - Monitoring activity reports,
infected client computers, and more.
Manage antimalware policies and firewall settings for Endpoint Protection in System Center Configuration
Manager - You can change policy priority for antimalware or firewall, remediate malware found on client
computers, and other tasks
NOTE
Endpoint Protection supports managing the Windows Firewall only.
For more information about how to create and deploy Windows Firewall policies for Endpoint Protection, see How
to create and deploy Windows Firewall policies for Endpoint Protection in System Center Configuration Manager.
IMPORTANT
You must be a Microsoft Volume License customer to download the Endpoint Protection installation files for Linux and the
Mac.
These products cannot be managed from the Configuration Manager console. However, a System Center
Operations Manager management pack is supplied with the installation files, which allows you to manage the
client for Linux by using Operations Manager.
For more information about how to install and manage the Endpoint Protection clients for Linux and Mac
computers, use the documentation that accompanies these products, which is located in the Documentation
folder.
Best Practices for Endpoint Protection in Configuration Manager
Use the following best practices for Endpoint Protection in System Center 2012 Configuration Manager.
Configure custom client settings for Endpoint Protection
When you configure client settings for Endpoint Protection, do not use the default client settings because they
apply settings to all computers in your hierarchy. Instead, configure custom client settings and assign these settings
to collections of computers in your hierarchy.
When you configure custom client settings, you can do the following:
Customize antimalware and security settings for different parts of your organization.
Test the effects of running Endpoint Protection on a small group of computers before you deploy it to the entire
hierarchy.
Add more clients to the collection over time to phase your deployment of the Endpoint Protection client.
Distributing definition updates by using software updates
If you are using Configuration Manager software updates to distribute definition updates, consider placing
definition updates in a package that does not contain other software updates. This keeps the size of the definition
update package smaller which allows it to replicate to distribution points more quickly.
Email profile prerequisites
4/30/2018 • 1 min to read • Edit Online
Specific security permissions must be granted to manage email You must have the following security permissions to manage
profiles company resource access settings, such as email profiles:
Mail attribute in active directory If you want to generate the users email address in an email
profile by using the user's primary SMTP address, System
Center Configuration Manager user discovery must be
configured to discover the mail attribute from Active
Directory (this is configured by default).
External dependencies
DEPENDENCY MORE INFORMATION
Mail attribute in active directory If you want to generate the users email address in an email
profile by using the user's primary SMTP address, this address
must exist in the mail attribute in Active Directory.
Specific security permissions must be granted to manage You must have the following security permissions to manage
email profiles company resource access settings, such as email profiles:
Mail attribute in active directory If you want to generate the users email address in an email
profile by using the user's primary SMTP address, System
Center Configuration Manager user discovery must be
configured to discover the mail attribute from Active
Directory (this is configured by default).
External dependencies
DEPENDENCY MORE INFORMATION
Mail attribute in active directory If you want to generate the users email address in an email
profile by using the user's primary SMTP address, this address
must exist in the mail attribute in Active Directory.
Whenever possible, choose the most secure options that your Wi-Fi and VPN profiles provide a convenient method to
Wi-Fi and VPN infrastructure and client operating systems can centrally distribute and manage Wi-Fi and VPN settings that
support. your devices already support. Configuration Manager does
not add Wi-Fi or VPN functionality.
Whenever possible, choose the most secure options that your Email profiles provide a convenient method to centrally
email infrastructure and client operating systems can support. distribute and manage email settings that your devices already
support. Configuration Manager does not add email
functionality.
Identify and follow any security best practices for the Network See Network Device Enrollment Service Guidance in the Active
Device Enrollment Service, which includes configuring the Directory Certificate Services library on TechNet.
Network Device Enrollment Service website in Internet
Information Services (IIS) to require SSL and ignore client
certificates.
When you configure SCEP certificate profiles, choose the most Identify, implement, and follow any security best practices that
secure options that devices and your infrastructure can have been recommended for your devices and infrastructure.
support.
Manually specify user device affinity instead of allowing users If you click the Allow certificate enrollment only on the
to identify their primary device. In addition, do not enable users primary device option in a SCEP certificate profile, do
usage-based configuration. not consider the information that is collected from users or
from the device to be authoritative. If you deploy SCEP
certificate profiles with this configuration and a trusted
administrative user does not specify user device affinity,
unauthorized users might receive elevated privileges and be
granted certificates for authentication.
Do not add Read and Enroll permissions for users to the Although Configuration Manager supports the additional
certificate templates, or configure the certificate registration check if you add the security permissions of Read and Enroll
point to skip the certificate template check. for users, and you can configure the certificate registration
point to skip this check if authentication is not possible,
neither configuration is a security best practice. For more
information, see Planning for certificate template permissions
for certificate profiles in System Center Configuration
Manager.
NOTE
Certificates that are issued to users or devices might allow access to confidential information.
By default, devices do not evaluate certificate profiles. In addition, you must configure the certificate profiles, and
then deploy them to users or devices.
Before you configure certificate profiles, consider your privacy requirements.
VPN profiles in System Center Configuration
Manager
4/30/2018 • 1 min to read • Edit Online
NOTE
Configuration Manager doesn't enable this optional feature by default. You must enable this feature before using it. For more
information, see Enable optional features from updates.
See VPN profiles on mobile devices to review the devices you can configure when using Configuration Manager
with Microsoft Intune.
Cisco AnyConnect No No No No
Next steps
Use the following topics to help you plan for, configure, operate, and maintain VPN profiles in Configuration
Manager.
Prerequisites for VPN profiles in System Center Configuration Manager
Security and privacy for VPN profiles in System Center Configuration Manager
How to Create VPN profiles in System Center
Configuration Manager
4/30/2018 • 4 min to read • Edit Online
NOTE
Devices that run iOS do not support using multiple VPN servers. If you configure multiple VPN servers and
then deploy the VPN profile to an iOS device, only the default server is used.
This table provides options for connection types. See your VPN server documentation for more
information.
Role The user role that has access to this Pulse Secure
connection.
Login group or domain The name of the login group or domain Dell SonicWALL Mobile Connect
that you want to connect to.
Send all network traffic through the If this option is not selected, you can All
VPN connection specify additional routes for the
connection (for Microsoft SSL (SSTP),
Microsoft Automatic, IKEv2, PPTP
and L2TP connection types), which is
known as split or VPN tunneling.
Connection specific DNS suffix The connection-specific Domain Name - Microsoft SSL (SSTP)
System (DNS) suffix for the connection.
- Microsoft Automatic
- IKEv2
- PPTP
- L2TP
OPTION MORE INFORMATION CONNECTION TYPE
Bypass VPN when connected to The VPN connection will not be used - Cisco AnyConnect
company Wi-Fi network when the device is connected to the
company Wi-Fi network. - Pulse Secure
- F5 Edge Client
- Microsoft Automatic
- IKEv2
- L2TP
Bypass VPN when connected to The VPN connection will not be used All
home Wi-Fi network when the device is connected to a home
Wi-Fi network.
Per App VPN (iOS 7 and later, Mac Associate this VPN connection with an - Cisco AnyConnect
OS X 10.9 and later ) iOS app so that the connection will be
opened when the app is run. You can - Pulse Secure
associate the VPN profile with an app
when you deploy it. - F5 Edge Client
Custom XML (optional) Specify custom XML commands that - Cisco AnyConnect
configure the VPN connection.
- Pulse Secure
Examples:
- F5 Edge Client
For Pulse Secure:
- Dell SonicWALL Mobile Connect
<pulse-schema>
- Check Point Mobile VPN
<isSingleSignOnCredential>true</is
SingleSignOnCredential>
</pulse-schema>
<CheckPointVPN
port="443"
name="CheckPointSelfhost"
sso="true"
debug="3"
/>
<MobileConnect>
<Compression>false</Compression
>
<debugLogging>True</debugLoggi
ng>
<packetCapture>False</packetCapt
ure>
</MobileConnect>
<f5-vpn-conf><single-sign-on-
credential></f5-vpn-conf>
NOTE
For information specific to creating VPN profiles for mobile devices, see Create VPN Profiles
Complete the wizard. The new VPN profile is displayed in the VPN Profiles node in the Assets and Compliance
workspace.
Next steps
For third-party VPN connections, distribute the VPN app before deploying the VPN profile. If you don't
deploy the app, users will be prompted to do so when they try to connect to the VPN. To learn how to
deploy apps, see Deploy applications with System Center Configuration Manager.
Deploy the VPN profile as described in How to deploy profiles in System Center Configuration Manager.
Find a package family name (PFN) for per-app VPN
4/30/2018 • 1 min to read • Edit Online
NOTE
You may have to run PowerShell as an admin in order to retrieve the PFN
For example, to get info on all the universal apps installed on the computer use Get-AppxPackage .
To get info on an app you know the name of, or part of the name of, use Get-AppxPackage *<app_name> . Note the use
of the wildcard character, particularly helpful if you're not sure of the full name of the app. For example to get the
info for OneNote, use Get-AppxPackage *OneNote .
Here is the information retrieved for OneNote:
Name : Microsoft.Office.OneNote
Architecture : X64
ResourceId :
Version : 17.6769.57631.0
PackageFullName : Microsoft.Office.OneNote_17.6769.57631.0_x64__8wekyb3d8bbwe
\Microsoft.Office.OneNote_17.6769.57631.0_x64__8wekyb3d8bbwe
IsFramework : False
PackageFamilyName : Microsoft.Office.OneNote_8wekyb3d8bbwe
PublisherId : 8wekyb3d8bbwe
In Edge, the information you want is displayed; in Internet Explorer, click Open to see the information. The PFN
value is given on the first line. Here's how the results look for our example:
{ "packageFamilyName": "Microsoft.Office.OneNote_8wekyb3d8bbwe",
"packageIdentityName": "Microsoft.Office.OneNote",
"windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d",
"publisherCertificateName": "CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"
}
Create Wi-Fi profiles
4/30/2018 • 6 min to read • Edit Online
IMPORTANT
To deploy profiles to Android, iOS, Windows Phone, and enrolled Windows 8.1 or later devices, these devices must be enrolled
in Microsoft Intune. For information about how to get your devices enrolled, see Enroll devices for management in Intune.
When you create a Wi-Fi profile, you can include a wide range of security settings. These include certificates for
server validation and client authentication that have been pushed using Configuration Manager certificate profiles.
For more information about certificate profiles, see Certificate profiles in System Center Configuration Manager.
IMPORTANT
Ensure that the Wi-Fi profile you import contains valid XML for a Wi-Fi profile. Configuration Manager does not
validate the profile when you import the file.
4. In Noncompliance severity for reports, specify the severity level that is reported if the Wi-Fi profile is
found to be noncompliant on client devices (for example, if the installation of the profile fails). The available
severity levels are as follows:
None: Computers that fail this compliance rule do not report a failure severity for Configuration
Manager reports.
Information: Computers that fail this compliance rule report a failure severity of Information for
Configuration Manager reports.
Warning: Computers that fail this compliance rule report a failure severity of Warning for
Configuration Manager reports.
Critical: Computers that fail this compliance rule report a failure severity of Critical for
Configuration Manager reports.
Critical with event: Computers that fail this compliance rule report a failure severity of Critical for
Configuration Manager reports. This severity level is also logged as a Windows event in the
application event log.
5. On the Wi-Fi Profile page provide the name that devices will display as the network name.
IMPORTANT
Configuration Manager does not support using the apostrophe (‘) or comma (,) characters in the network name.
IMPORTANT
If you're creating a Wi-Fi profile for On-premises Mobile Device Management, the current branch of Configuration
Manager only supports the following Wi-Fi security configurations:
Security types: WPA2 Enterprise or WPA2 Personal
Encryption types: AES or TKIP
EAP types: Smart Card or other certificate or PEAP
For Android devices, the security types WPA Personal, WPA2 Personal and WEP are not supported.
IMPORTANT
When you click Configure, the dialog box that opens is a Windows dialog box. Because of this, you must ensure that
the operating system of the computer that runs the Configuration Manager console supports configuring the
selected EAP type.
For iOS devices, if you chose a non-EAP method for authentication, regardless of the method you choose, MS-CHAP
v2 will be used for the connection.
12. If you want to store user credentials so users do not have to enter credentials at each logon, select
Remember the user credentials at each logon.
13. For iOS devices only:
Configure information for any certificates that are required for the Wi-Fi connection. You must configure the
client certificate and either the trusted server certificate name or the root certificate, as follows:
Trusted server certificate names: If the server that the device connects to uses a server
authentication certificate to identify the server and help secure the communication channel, enter the
name or names in that certificate’s subject name or subject alternative name. The name or names
are typically the fully qualified domain name of the server. For example, if the server certificate has a
common name of srv1.contoso.com in the certificate subject, enter srv1.contoso.com. If the server
certificate has multiple names that are specified in the subject alternative name, enter each name,
separated by a semicolon.
TIP
If the client certificate that you select for EAP or client authentication for an iOS device will be used to
authenticate to a Remote Authentication Dial-In User Service (RADIUS) server, such as a server that is running
Network Policy Server, you must set the Subject Alternative Name to the User Principal Name.
Select root certificates for server validation: If the server that the device connects to uses a server
authentication certificate that the device does not trust, select the certificate profile that contains the
root certificate for the server certificate, to create a certificate chain of trust on the device.
Select a client certificate for client authentication: If the server or network device requires a
client certificate to authenticate the connecting device, select the certificate profile that contains the
client authentication certificate.
NOTE
Before you can select the root certificate and client certificate, you must first configure and deploy them as a
certificate profile. For more information about certificate profiles, see Certificate profiles in System Center
Configuration Manager.
14. On the Advanced Settings page, specify advanced settings for the Wi-Fi profile such as the authentication
mode, single sign-on options, and Federal Information Processing Standards compliance. For more
information about these options, see your Windows documentation. Advanced settings might not be
available, or might vary, depending on the options that you selected on the Security Configuration page of
the wizard.
15. On the Proxy Settings page, select Configure proxy settings for this Wi-Fi profile if your wireless
network uses a proxy server, and then provide the configuration information.
16. On the Supported Platforms page, select the operating systems where you want to install the Wi-Fi profile.
Alternatively, click Select all to install the Wi-Fi profile to all available operating systems.
Next steps
For information about how to deploy the Wi-Fi profile, see How to deploy Wi-Fi profiles in System Center
Configuration Manager.
Create Wi-Fi profiles
4/30/2018 • 6 min to read • Edit Online
IMPORTANT
To deploy profiles to Android, iOS, Windows Phone, and enrolled Windows 8.1 or later devices, these devices must be
enrolled in Microsoft Intune. For information about how to get your devices enrolled, see Enroll devices for management in
Intune.
When you create a Wi-Fi profile, you can include a wide range of security settings. These include certificates for
server validation and client authentication that have been pushed using Configuration Manager certificate profiles.
For more information about certificate profiles, see Certificate profiles in System Center Configuration Manager.
IMPORTANT
Ensure that the Wi-Fi profile you import contains valid XML for a Wi-Fi profile. Configuration Manager does not
validate the profile when you import the file.
4. In Noncompliance severity for reports, specify the severity level that is reported if the Wi-Fi profile is
found to be noncompliant on client devices (for example, if the installation of the profile fails). The available
severity levels are as follows:
None: Computers that fail this compliance rule do not report a failure severity for Configuration
Manager reports.
Information: Computers that fail this compliance rule report a failure severity of Information for
Configuration Manager reports.
Warning: Computers that fail this compliance rule report a failure severity of Warning for
Configuration Manager reports.
Critical: Computers that fail this compliance rule report a failure severity of Critical for
Configuration Manager reports.
Critical with event: Computers that fail this compliance rule report a failure severity of Critical for
Configuration Manager reports. This severity level is also logged as a Windows event in the
application event log.
5. On the Wi-Fi Profile page provide the name that devices will display as the network name.
IMPORTANT
Configuration Manager does not support using the apostrophe (‘) or comma (,) characters in the network name.
IMPORTANT
If you're creating a Wi-Fi profile for On-premises Mobile Device Management, the current branch of Configuration
Manager only supports the following Wi-Fi security configurations:
Security types: WPA2 Enterprise or WPA2 Personal
Encryption types: AES or TKIP
EAP types: Smart Card or other certificate or PEAP
For Android devices, the security types WPA Personal, WPA2 Personal and WEP are not supported.
12. If you want to store user credentials so users do not have to enter credentials at each logon, select
Remember the user credentials at each logon.
13. For iOS devices only:
Configure information for any certificates that are required for the Wi-Fi connection. You must configure
the client certificate and either the trusted server certificate name or the root certificate, as follows:
Trusted server certificate names: If the server that the device connects to uses a server
authentication certificate to identify the server and help secure the communication channel, enter the
name or names in that certificate’s subject name or subject alternative name. The name or names
are typically the fully qualified domain name of the server. For example, if the server certificate has a
common name of srv1.contoso.com in the certificate subject, enter srv1.contoso.com. If the server
certificate has multiple names that are specified in the subject alternative name, enter each name,
separated by a semicolon.
TIP
If the client certificate that you select for EAP or client authentication for an iOS device will be used to
authenticate to a Remote Authentication Dial-In User Service (RADIUS) server, such as a server that is
running Network Policy Server, you must set the Subject Alternative Name to the User Principal Name.
Select root certificates for server validation: If the server that the device connects to uses a
server authentication certificate that the device does not trust, select the certificate profile that
contains the root certificate for the server certificate, to create a certificate chain of trust on the
device.
Select a client certificate for client authentication: If the server or network device requires a
client certificate to authenticate the connecting device, select the certificate profile that contains the
client authentication certificate.
NOTE
Before you can select the root certificate and client certificate, you must first configure and deploy them as a
certificate profile. For more information about certificate profiles, see Certificate profiles in System Center
Configuration Manager.
14. On the Advanced Settings page, specify advanced settings for the Wi-Fi profile such as the authentication
mode, single sign-on options, and Federal Information Processing Standards compliance. For more
information about these options, see your Windows documentation. Advanced settings might not be
available, or might vary, depending on the options that you selected on the Security Configuration page
of the wizard.
15. On the Proxy Settings page, select Configure proxy settings for this Wi-Fi profile if your wireless
network uses a proxy server, and then provide the configuration information.
16. On the Supported Platforms page, select the operating systems where you want to install the Wi-Fi
profile. Alternatively, click Select all to install the Wi-Fi profile to all available operating systems.
Next steps
For information about how to deploy the Wi-Fi profile, see How to deploy Wi-Fi profiles in System Center
Configuration Manager.
Introduction to certificate profiles in System Center
Configuration Manager
4/30/2018 • 5 min to read • Edit Online
NOTE
Configuration Manager doesn't enable this optional feature by default. You must enable this feature before using it.
For more information, see Enable optional features from updates.
Starting with version 1706, you can use Microsoft or Entrust as certificate authorities for Personal
information exchange (.pfx) certificates.
IMPORTANT
To deploy profiles to Android, iOS, Windows Phone, and enrolled Windows 8.1 or later devices, these devices must be
enrolled in Microsoft Intune.
A typical scenario for Configuration Manager is to install trusted root CA certificates to authenticate Wi-Fi and
VPN servers when the connection uses EAP -TLS, EAP -TTLS, and PEAP authentication protocols, and IKEv2,
L2TP/IPsec, and Cisco IPsec VPN tunneling protocols.
An enterprise root CA certificate must be installed on the device before the device can request certificates by
using a SCEP certificate profile.
You can specify settings in a SCEP certificate profile to request customized certificates for different environments
or connectivity requirements. The Create Certificate Profile Wizard has two pages for enrollment parameters.
The first, SCEP Enrollment, includes settings for the enrollment request and where to install the certificate. The
second, Certificate Properties, describes the requested certificate itself.
1. On the Trusted CA Certificate page of the Create Certificate Profile Wizard, specify the following
information:
Certificate file: Click Import and then browse to the certificate file that you want to use.
Destination store: For devices that have more than one certificate store, select where to store the
certificate. For devices that have only one store, this setting is ignored.
2. Use the Certificate thumbprint value to verify that you have imported the correct certificate.
NOTE
When a user creates a Windows Hello for Business PIN, Windows sends a notification which Configuration Manager
listens for. This allows Configuration Manager to quickly become aware of which users have created a Windows Hello
PIN. Configuration Manager can then also issue new certificates to those users if Windows Hello is used as the Key
Storage Provider in a certificate profile.
Install to Software Key Storage Provider: Installs the key to the storage provider for the software
key.
Devices for certificate enrollment: If the certificate profile is deployed to a user collection, select
whether to allow certificate enrollment on only the user's primary device or on all devices that the
user logs on to. If the certificate profile is deployed to a device collection, select whether to allow
certificate enrollment for only the primary user of the device or for all users that log on to the device.
3. On the Certificate Properties page of the Create Certificate Profile Wizard, specify the following
information:
Certificate template name: Click Browse to select the name of a certificate template that the Network
Device Enrollment Service is configured to use and that has been added to an issuing CA. To successfully
browse to certificate templates, the user account that you are using to run the System Center
Configuration Manager console must have Read permission to the certificate template. Alternatively, if
you cannot use Browse, type the name of the certificate template.
IMPORTANT
If the certificate template name contains non-ASCII characters (for example, characters from the Chinese alphabet),
the certificate will not be deployed. To ensure that the certificate is deployed, you must first create a copy of the
certificate template on the CA and rename the copy by using ASCII characters.
Note the following, depending on whether you browse to the certificate template or type the certificate
name:
If you browse to select the name of the certificate template, some fields on the page are automatically
populated from the certificate template. In some cases, you cannot change these values unless you
choose a different certificate template.
If you type the name of the certificate template, make sure that the name exactly matches one of the
certificate templates that are listed in the registry of the server that is running the Network Device
Enrollment Service. Make sure that you specify the name of the certificate template and not the
display name of the certificate template.
To find the names of certificate templates, browse to the following key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MSCEP. You will see the certificate
templates listed as the values for EncryptionTemplate, GeneralPurposeTemplate, and
SignatureTemplate. By default, the value for all three certificate templates is IPSECIntermediateOffline,
which maps to the template display name of IPSec (Offline request).
WARNING
Because System Center Configuration Manager cannot verify the contents of the certificate template when you type
the name of the certificate template rather than browse, you might be able to select options that the certificate
template does not support and that will result in a failed certificate request. When this happens, you will see an error
message for w3wp.exe in the CPR.log file that the template name in the certificate signing request (CSR) and the
challenge do not match.
When you type the name of the certificate template that is specified for the GeneralPurposeTemplate value, you
must select the Key encipherment and the Digital signature options for this certificate profile. However, if you
want to enable only the Key encipherment option in this certificate profile, specify the certificate template name for
the EncryptionTemplate key. Similarly, if you want to enable only the Digital signature option in this certificate
profile, specify the certificate template name for the SignatureTemplate key.
Certificate type: Select whether the certificate will be deployed to a device or a user.
Subject name format: From the list, select how System Center Configuration Manager automatically
creates the subject name in the certificate request. If the certificate is for a user, you can also include the
user's email address in the subject name.
NOTE
Selecting IMEI number or Serial number enables you to differentiate between different devices that are owned by
the same user. For example, those devices could share a common name, but not an IMEI number or serial number. If
the device does not report an IMEI or serial number, the certificate will be issued with the common name.
Subject alternative name: Specify how System Center Configuration Manager automatically creates
the values for the subject alternative name (SAN ) in the certificate request. For example, if you selected a
user certificate type, you can include the user principal name (UPN ) in the subject alternative name. If the
client certificate will be used to authenticate to a Network Policy Server, you must set the subject
alternative name to the UPN.
NOTE
iOS devices support limited subject name formats and subject alternative names in SCEP certificates. If you specify
a format that is not supported, certificates will not be enrolled on iOS devices. When you configure a SCEP
certificate profile to be deployed to iOS devices, use the Common name for the Subject name format, and DNS
name, Email address or UPN for the Subject alternative name.
Certificate validity period: If you have run the certutil - setreg Policy\EditFlags
+EDITF_ATTRIBUTEENDDATE command on the issuing CA, which allows a custom validity period, you
can specify the amount of remaining time before the certificate expires. For more information about this
command, see Certificate infrastructure in System Center Configuration Manager topic.
You can specify a value that is lower than the validity period in the specified certificate template, but not
higher. For example, if the certificate validity period in the certificate template is two years, you can specify a
value of one year but not a value of five years. The value must also be lower than the remaining validity
period of the issuing CA's certificate.
Key usage: Specify key usage options for the certificate. You can choose from the following options:
Key encipherment: Allow key exchange only when the key is encrypted.
Digital signature: Allow key exchange only when a digital signature helps protect the key.
If you selected a certificate template by using Browse, you might not be able to change these settings
unless you select a different certificate template.
The certificate template you selected must be configured with one or both of the two key usage options
above. If it is not, you will see the message Key usage in CSR and challenge do not match in the
certificate registration point log file, Crp.log.
Key size (bits): Select the size of the key in bits.
Extended key usage: Click Select to add values for the certificate's intended purpose. In most cases, the
certificate will require Client Authentication so that the user or device can authenticate to a server.
However, you can add any other key usages as required.
Hash algorithm: Select one of the available hash algorithm types to use with this certificate. Select the
strongest level of security that the connecting devices support.
NOTE
SHA-2 supports SHA-256, SHA-384, and SHA-512. SHA-3 supports only SHA-3.
Root CA certificate: Click Select to choose a root CA certificate profile that you have previously
configured and deployed to the user or device. This CA certificate must be the root certificate for the CA
that will issue the certificate that you are configuring in this certificate profile.
IMPORTANT
If you specify a root CA certificate that is not deployed to the user or device, System Center Configuration Manager
will not initiate the certificate request that you are configuring in this certificate profile.
IMPORTANT
Before you configure System Center Configuration Manager to work with the Network Device Enrollment Service, verify the
installation and configuration of the Network Device Enrollment Service. If these dependencies are not working correctly, you
will have difficulty troubleshooting certificate enrollment by using System Center Configuration Manager.
To install and configure the Network Device Enrollment Service and dependencies
1. On a server that is running Windows Server 2012 R2, install and configure the Network Device Enrollment
Service role service for the Active Directory Certificate Services server role. For more information, see
Network Device Enrollment Service Guidance in the Active Directory Certificate Services library on
TechNet.
2. Check, and if necessary, modify the security permissions for the certificate templates that the Network
Device Enrollment Service is using:
For the account that runs the System Center Configuration Manager console: Read permission.
This permission is required so that when you run the Create Certificate Profile Wizard, you can
browse to select the certificate template that you want to use when you create a SCEP settings
profile. Selecting a certificate template means that some settings in the wizard are automatically
populated, so there is less for you to configure and there is less risk of selecting settings that are not
compatible with the certificate templates that the Network Device Enrollment Service is using.
For the SCEP Service account that the Network Device Enrollment Service application pool uses:
Read and Enroll permissions.
This requirement is not specific to System Center Configuration Manager but is part of configuring
the Network Device Enrollment Service. For more information, see Network Device Enrollment
Service Guidance in the Active Directory Certificate Services library on TechNet.
TIP
To identify which certificate templates the Network Device Enrollment Service is using, view the following registry key
on the server that is running the Network Device Enrollment Service:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MSCEP.
NOTE
These are the default security permissions that will be appropriate for most environments. However, you can use an
alternative security configuration. For more information, see Planning for certificate template permissions for
certificate profiles in System Center Configuration Manager.
3. Deploy to this server a PKI certificate that supports client authentication. You might already have a suitable
certificate installed on the computer that you can use, or you might have to (or prefer to) deploy a
certificate specifically for this purpose. For more information about the requirements for this certificate,
refer to the details for Servers running the Configuration Manager Policy Module with the Network Device
Enrollment Service role service in the** PKI Certificates for Servers** section in the PKI certificate
requirements for System Center Configuration Manager topic.
TIP
If you need help deploying this certificate, you can use the instructions for Deploying the Client Certificate for
Distribution Points, because the certificate requirements are the same with one exception:
Do not select the Allow private key to be exported check box on the Request Handling tab of the
properties for the certificate template.
You do not have to export this certificate with the private key because you will be able to browse to the local
Computer store and select it when you configure the System Center Configuration Manager Policy Module.
4. Locate the root certificate that the client authentication certificate chains to. Then, export this root CA
certificate to a certificate (.cer) file. Save this file to a secured location that you can securely access when
you later install and configure the site system server for the certificate registration point.
5. On the same server, use the registry editor to increase the IIS default URL size limit by setting the following
registry key DWORD values in
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters:
Set the MaxFieldLength key to 65534.
Set the MaxRequestBytes key to 16777216.
For more information, see article 820129: Http.sys registry settings for Windows in the Microsoft
Knowledge Base.
6. On the same server, in Internet Information Services (IIS ) Manager, modify the request-filtering settings for
the /certsrv/mscep application, and then restart the server. In the Edit Request Filtering Settings dialog
box, the Request Limits settings should be as follows:
Maximum allowed content length (Bytes): 30000000
Maximum URL length (Bytes): 65534
Maximum query string (Bytes): 65534
For more information about these settings and how to configure them, see Requests Limits in the IIS
Reference Library.
7. If you want to be able to request a certificate that has a lower validity period than the certificate template
that you are using: This configuration is disabled by default for an enterprise CA. To enable this option on
an enterprise CA, use the Certutil command-line tool, and then stop and restart the certificate service by
using the following commands:
a. certutil - setreg Policy\EditFlags +EDITF_ATTRIBUTEENDDATE
b. net stop certsvc
c. net start certsvc
For more information, see Certificate Services Tools and Settings in the PKI Technologies library on
TechNet.
8. Verify that the Network Device Enrollment Service is working by using the following link as an example:
https://server.contoso.com/certsrv/mscep/mscep.dll. You should see the built-in Network Device
Enrollment Service webpage. This webpage explains what the service is and explains that network devices
use the URL to submit certificate requests.
Now that the Network Device Enrollment Service and dependencies are configured, you are ready to install
and configure the certificate registration point.
IMPORTANT
Before you install the certificate registration point, see the Site System Requirements section in the Supported
configurations for System Center Configuration Manager topic for operating system requirements and dependencies for the
certificate registration point.
To i n st a l l a n d c o n fi g u r e t h e c e r t i fi c a t e r e g i st r a t i o n p o i n t
TIP
This certificate is not immediately available in this folder. You might need to wait awhile (for example, half an hour)
before System Center Configuration Manager copies the file to this location.
1. On the server that runs the Network Device Enrollment Service, log on as a domain administrator and
copy the following files from the <ConfigMgrInstallationMedia>\SMSSETUP\POLICYMODULE\X64
folder on the System Center Configuration Manager installation media to a temporary folder:
PolicyModule.msi
PolicyModuleSetup.exe
In addition, if you have a LanguagePack folder on the installation media, copy this folder and its contents.
2. From the temporary folder, run PolicyModuleSetup.exe to start the System Center Configuration Manager
Policy Module Setup wizard.
3. On the initial page of the wizard, click Next, accept the license terms, and then click Next.
4. On the Installation Folder page, accept the default installation folder for the policy module or specify an
alternative folder, and then click Next.
5. On the Certificate Registration Point page, specify the URL of the certificate registration point by using
the FQDN of the site system server and the virtual application name that is specified in the properties for
the certificate registration point. The default virtual application name is CMCertificateRegistration. For
example, if the site system server has an FQDN of server1.contoso.com and you used the default virtual
application name, specify https://server1.contoso.com/CMCertificateRegistration.
6. Accept the default port of 443 or specify the alternative port number that the certificate registration point is
using, and then click Next.
7. On the Client Certificate for the Policy Modulepage, browse to and specify the client authentication
certificate that you deployed in Step 1: Install and configure the Network Device Enrollment Service
and dependencies, and then click Next.
8. On the Certificate Registration Point Certificate page, click Browse to select the exported certificate file
for the root CA that you located and saved at the end of Step 2: Install and configure the certificate
registration point.
NOTE
If you did not previously save this certificate file, it is located in the <ConfigMgr Installation
Path>\inboxes\certmgr.box on the site server computer.
IMPORTANT
See information about recommended changes in response to SSL vulnerabilities in About SSL Vulnerabilities.
NOTE
All certificates that Configuration Manager uses must contain only single-byte characters in the subject name or subject
alternative name.
NOTE
The self-signed management certificate is for testing purposes only and not for use on production networks.
Clients do not require a client PKI certificate to use cloud-based distribution points; they authenticate to the
management by using either a self-signed certificate or a client PKI certificate. The management point then issues a
Configuration Manager access token to the client, which the client presents to the cloud-based distribution point.
The token is valid for 8 hours.
The Microsoft Intune Connector and certificates
When Microsoft Intune enrolls mobile devices, you can manage these mobile devices in Configuration Manager by
creating a Microsoft Intune connector. The connector uses a PKI certificate with client authentication capability to
authenticate Configuration Manager to Microsoft Intune and to transfer all information between them by using
SSL. The certificate key size is 2048 bits and uses the SHA-1 hash algorithm.
When you install the connector, a signing certificate is created and stored on the site server for sideloading keys,
and an encryption certificate is created and stored on the certificate registration point to encrypt the Simple
Certificate Enrollment Protocol (SCEP ) challenge. These certificates also have a key size of 2048 bits and use the
SHA-1 hash algorithm.
When Intune enrolls mobile devices, it installs a PKI certificate onto the mobile device. This certificate has client
authentication capability, uses a key size of 2048 bits, and uses the SHA-1 hash algorithm.
These PKI certificates are automatically requested, generated, and installed by Microsoft Intune.
CRL checking for PKI certificates
A PKI certificate revocation list (CRL ) increases administrative and processing overhead but it is more secure.
However, if CRL checking is enabled but the CRL is inaccessible, the PKI connection fails. For more information,
see Security and privacy for System Center Configuration Manager.
Certificate revocation list (CRL ) checking is enabled by default in IIS, so if you are using a CRL with your PKI
deployment, there is nothing additional to configure on most Configuration Manager site systems that run IIS. The
exception is for software updates, which requires a manual step to enable CRL checking to verify the signatures on
software update files.
CRL checking is enabled by default for client computers when they use HTTPS client connections. CRL checking is
not enabled by default when you run the Out of Band Management console to connect to AMT-based computer,
and you can enable this option. You cannot disable CRL checking for clients on Mac computers in Configuration
Manager SP1 or later.
CRL checking is not supported for the following connections in Configuration Manager:
Server-to-server connections.
Mobile devices that are enrolled by Configuration Manager.
Mobile devices that are enrolled by Microsoft Intune.
IMPORTANT
You must be licensed to use Endpoint Protection to manage clients in your Configuration Manager hierarchy.
When you use Endpoint Protection with Configuration Manager, you have the following benefits:
Configure antimalware policies, Windows Firewall settings, and manage Windows Defender Advanced Threat
Protection to selected groups of computers
Use Configuration Manager software updates to download the latest antimalware definition files to keep client
computers up-to-date
Send email notifications, use in-console monitoring, and view reports. These actions inform administrative
users when malware is detected on client computers.
Beginning with Windows 10 and Windows Server 2016 computers, Windows Defender is already installed. For
these operating systems, a management client for Windows Defender is installed when the Configuration
Manager client installs. On Windows 8.1 and earlier computers, the Endpoint Protection client is installed with the
Configuration Manager client. Windows Defender and the Endpoint Protection client have the following
capabilities:
Malware and spyware detection and remediation
Rootkit detection and remediation
Critical vulnerability assessment and automatic definition and engine updates
Network vulnerability detection through Network Inspection System
Integration with Cloud Protection Service to report malware to Microsoft. When you join this service, the
Endpoint Protection client or Windows Defender downloads the latest definitions from the Malware Protection
Center when unidentified malware is detected on a computer.
NOTE
The Endpoint Protection client can be installed on a server that runs Hyper-V and on guest virtual machines with supported
operating systems. To prevent excessive CPU usage, Endpoint Protection actions have a built-in randomized delay so that
protection services do not run simultaneously.
In addition, you manage Windows Firewall settings with Endpoint Protection in the Configuration Manager
console.
Example scenario: Using System Center Endpoint Protection to protect computers from malware in System Center
Configuration Manager Endpoint Protection and the Windows Firewall.
NOTE
Endpoint Protection supports managing the Windows Firewall only.
For more information, see How to create and deploy Windows Firewall policies for Endpoint Protection.
IMPORTANT
You must be a Microsoft Volume License customer to download the Endpoint Protection installation files for Linux and the
Mac.
These products cannot be managed from the Configuration Manager console. However, a System Center
Operations Manager management pack is supplied with the installation files, which allows you to manage the
client for Linux by using Operations Manager.
How to get the Endpoint Protection client for Mac computers and Linux servers
Use the following steps to download the image file containing the Endpoint Protection client software and
documentation for Mac computers and Linux servers.
1. Sign in to the Microsoft Volume Licensing Service Center.
2. Select the Downloads and Keys tab at the top of the website.
3. Filter on product System Center Endpoint Protection (current branch).
4. Click link to Download
5. Click Continue. You should see several files, including one named: System Center Endpoint Protection
(current branch - version 1606) for Linux OS and Macintosh OS Multilanguage 32/64 bit 1878 MB
ISO.
6. To download the file, click the arrow icon. The file name is
SW_DVD5_Sys_Ctr_Endpnt_Prtctn_1606_MultiLang_-3_EptProt_Lin_Mac_MLF_X21-67050.ISO.
The January 2018 update (X21-67050) includes the following versions:
System Center Endpoint Protection for Mac 4.5.32.0 (support for macOS 10.13 High Sierra)
System Center Endpoint Protection for Linux 4.5.20.0
For more information about how to install and manage the Endpoint Protection clients for Linux and Mac
computers, use the documentation that accompanies these products. This product documentation is in the
Documentation folder of the .ISO file.
Configure Endpoint Protection
4/30/2018 • 2 min to read • Edit Online
IMPORTANT
If you manage endpoint protection for Windows 10 computers, then you must configure Configuration Manager to update
and distribute malware definitions for Windows Defender. Windows Defender is included in Windows 10 but SCEPInstall must
still be installed and custom client settings for Endpoint Protection (Step 5 below) are still required.
Starting in Configuration Manager 1802, Windows 10 devices do not need to have the Endpoint Protection agent
(SCEPInstall) installed. If it is already installed on Windows 10 devices, Configuration Manager will not remove it.
Administrators can remove the Endpoint Protection agent on Windows 10 devices that are running at least the 1802 client
version. SCEPInstall.exe may still be present in C:\Windows\ccmsetup on some machines but should not be downloaded on
new client installations. Custom client settings for Endpoint Protection (Step 5 below) are still required.
STEPS DETAILS
Step 1: Create an Endpoint Protection point site system role The Endpoint Protection point site system role must be
installed before you can use Endpoint Protection. It must be
installed on one site system server only, and it must be
installed at the top of the hierarchy on a central administration
site or a stand-alone primary site.
Step 2: Configure alerts for Endpoint Protection Alerts inform the administrator when specific events have
occurred, such as a malware infection. Alerts are displayed in
the Alerts node of the Monitoring workspace, or optionally
can be emailed to specified users.
Step 3: Configure definition update sources for Endpoint Endpoint Protection can be configured to use various sources
Protection clients to download definition updates.
Step 4: Configure the default antimalware policy and create The default antimalware policy is applied when the Endpoint
custom antimalware policies Protection client is installed. Any custom policies you have
deployed are applied by default, within 60 minutes of
deploying the client. Ensure that you have configured
antimalware policies before you deploy the Endpoint
Protection client.
STEPS DETAILS
Step 5: Configure custom client settings for Endpoint Use custom client settings to configure Endpoint Protection
Protection settings for collections of computers in your hierarchy.
IMPORTANT
When you install an Endpoint Protection point, an Endpoint Protection client is installed on the server hosting the Endpoint
Protection point. Services and scans are disabled on this client to enable it to co-exist with any existing antimalware solution
that is installed on the server. If you later enable this server for management by Endpoint Protection and select the option to
remove any third-party antimalware solution, the third-party product will not be removed. You must uninstall this product
manually.
IMPORTANT
You cannot use Endpoint Protection in Configuration Manager unless you accept the license terms.
7. On the Cloud Protection Service page, select the level of information that you want to send to Microsoft
to help develop new definitions, and then click Next.
NOTE
This option configures the Cloud Protection Service (formerly known as Microsoft Active Protection Service or MAPS)
settings that are used by default. You can then configure custom settings for each antimalware policy you create. Join
Cloud Protection Service, to help to keep your computers more secure by supplying Microsoft with malware samples
that can help Microsoft to keep antimalware definitions more up-to-date. Additionally, when you join Cloud
Protection Service, the Endpoint Protection client can use the dynamic signature service to download new definitions
before they are published to Windows Update. For more information, see How to create and deploy antimalware
policies for Endpoint Protection in System Center Configuration Manager.
IMPORTANT
You cannot use Endpoint Protection in Configuration Manager unless you accept the license terms.
7. On the Cloud Protection Service page, select the level of information that you want to send to Microsoft
to help develop new definitions, and then click Next.
NOTE
This option configures the Cloud Protection Service settings (formerly known as MAPS) that are used by default. You
can configure custom settings for each antimalware policy you configure. For more information, see How to create
and deploy antimalware policies for Endpoint Protection in System Center Configuration Manager.
IMPORTANT
You must have the Enforce Security permission for collections to configure Endpoint Protection alerts.
NOTE
You cannot configure alerts for user collections.
4. On the Alerts tab of the <Collection Name>Properties dialog box, select View this collection in the
Endpoint Protection dashboard if you want to view details about antimalware operations for this
collection in the Monitoring workspace of the Configuration Manager console.
NOTE
This option is unavailable for the All Systems collection.
5. On the Alerts tab of the <Collection Name>Properties dialog box, click Add.
6. In the Add New Collection Alerts dialog box, in the Generate an alert when these conditions apply
section, select the alerts that you want Configuration Manager to generate when the specified Endpoint
Protection events occur, and then click OK.
7. In the Conditions list of the Alerts tab, select each Endpoint Protection alert, and then specify the
following information:
Alert Name - Accept the default name or enter a new name for the alert.
Alert Severity - In the list, select the alert level to display in the Configuration Manager console.
8. Depending on the alert that you select, specify the following additional information:
Malware detection - This alert is generated if malware is detected on any computer in the
collection that you monitor. The Malware detection threshold specifies the malware detection
levels at which this alert is generated:
High - All detections - The alert is generated when there are one or more computers in the
specified collection on which any malware is detected, regardless of what action the Endpoint
Protection client takes.
Medium - Detected, pending action - The alert is generated when there is one or more
computers in the specified collection on which malware is detected, and you must manually
remove the malware.
Low - Detected, still active - The alert is generated when there are one or more computers
in the specified collection on which malware is detected and is still active.
Malware outbreak - This alert is generated if specified malware is detected on a specified
percentage of computers in the collection that you monitor.
Percentage of computers with malware detected - The alert is generated when the
percentage of computers with malware that is detected in the collection exceeds the
percentage that you specify. Specify a percentage from 1 through 99.
NOTE
The percentage value is based on the number of computers in the collection, but excludes computers
that do not have a Configuration Manager client installed. It includes computers that do not yet have
the Endpoint Protection client installed.
Repeated malware detection - This alert is generated if specific malware is detected more than a
specified number of times over a specified number of hours on the computers in the collection that
you monitor. Specify the following information to configure this alert:
Number of times malware has been detected: - The alert is generated when the same
malware is detected on computers in the collection more than the specified number of times.
Specify a number from 2 through 32.
Interval for detection (hours): Specify the detection interval (in hours) in which the
number of malware detections must occur. Specify a number from 1 through 168.
Multiple malware detection - This alert is generated if more than a specified number of malware
types are detected over a specified number of hours on computers in the collection that you monitor.
Specify the following information to configure this alert:
Number of malware types detected: The alert is generated when the specified number of
different malware types are detected on computers in the collection. Specify a number from 2
through 32.
Interval for detection (hours): Specify the detection interval, in hours, in which the number
of malware detections must occur. Specify a number from 1 through 168.
9. Click OK to close the <Collection Name>Properties dialog box.
BACK
>
Configure Definition Updates for Endpoint Protection
4/30/2018 • 2 min to read • Edit Online
IMPORTANT
For Windows 10 PCs, you must configure Endpoint Protection to update malware definitions for Windows Defender.
NOTE
This procedure is only for the items that must be specifically configured for Endpoint Protection. For more information about
the Create Automatic Deployment Rule Wizard, see Automatically deploy software updates.
NOTE
You cannot deploy definition updates to a collection of users.
NOTE
From the Detail level list, select Minimal (Configuration Manager with no Service Pack) or Only error messages
(Configuration Manager). This will reduce the number of state messages returned by definition deployment. This
configuration helps reduce the CPU processing usage on the Configuration Manager servers.
8. In the Property filters list, select the Update Classification check box.
9. In the Search criteria list, click <items to find>. Then, in the Search Criteria dialog box, in the Specify
the value to search for list, select Definition Updates.
10. Click OK to close the Search Criteria dialog box.
11. In the Property filters list, select the Product check box.
12. In the Search criteria list, click <items to find>. Then, in the Search Criteria dialog box, in the Specify
the value to search for list, select Forefront Endpoint Protection 2010 for Windows 8.1 and earlier or
Windows Defender for Windows 10 and later.
13. Click OK to close the Search Criteria dialog box, and then click Next.
14. Optionally, you can filter out superseded updates. To do so:
a. In the Property filters list, select the Superseded check box.
b. In the Search criteria list, click <items to find>. Then, in the Search Criteria dialog box, in the
Specify the value to search for list, select No.
15. Click OK to close the Search Criteria dialog box, and then click Next.
16. On the Evaluation Schedule page of the wizard, select Enable rule to run on a schedule, and then
configure the schedule by which to download definition updates. At a minimum, set the rule to run two
hours after each software update point synchronization. Click Next.
17. On the Deployment Schedule page of the wizard, configure the following settings:
Time based on: Select UTC if you want all clients in the hierarchy to install the latest definitions at
the same time. The actual installation time will vary within a two-hour window. This setting is a
recommended best practice.
Software available time: Specify the available time for the deployment that is created by this rule.
The specified time must be at least one hour after the automatic deployment rule runs. This helps to
ensure that the content has sufficient time to replicate to the distribution points in your hierarchy.
Some definition updates might also include antimalware engine updates, which might take longer to
reach distribution points.
Installation deadline: Select As soon as possible.
NOTE
Software update deadlines are varied over a two-hour period to prevent all clients from requesting an update
at the same time.
23. On the Distribution Points page of the wizard, select one or more distribution points to which the content
for this package will be copied, and then click Next.
24. On the Download Location page of the wizard, select Download software updates from the Internet,
and then click Next.
25. On the Language Selection page of the wizard, select each language version of the updates to be
downloaded, and then click Next.
26. Complete the Create Automatic Deployment Rule Wizard.
27. Verify that the new rule is displayed in the Automatic Deployment Rules node of the Configuration
Manager console.
N E X T STE P
>
BACK
>
Enable Endpoint Protection malware definitions to
download from Windows Server Update Services
(WSUS) for Configuration Manager
4/30/2018 • 3 min to read • Edit Online
NOTE
To maximize performance on your WSUS server and client computers, decline old definition updates. To accomplish this task,
you can configure automatic approval for revisions and automatic declining of expired updates. For more information, see
Microsoft Knowledge Base article 938947.
N E X T STE P
>
BACK
>
Enable Endpoint Protection malware definitions to
download from Microsoft Updates for Configuration
Manager
4/30/2018 • 1 min to read • Edit Online
IMPORTANT
Clients must have access to Microsoft Update on the Internet to be able to use this method to download definition updates.
IMPORTANT
Clients must have access to Microsoft Update on the Internet to be able use this method to download definition updates.
N E X T STE P
>
BACK
>
Using the Microsoft Malware Protection Center to
Download Definitions
4/30/2018 • 1 min to read • Edit Online
IMPORTANT
Clients must have access to Microsoft Update on the Internet to be able use this method to download definition updates.
N E X T STE P
>
BACK
>
Enable Endpoint Protection malware definitions to
download from a network share for Configuration
Manager
4/30/2018 • 1 min to read • Edit Online
NOTE
Clients must have read access to the shared folder to be able to download definition updates.
For more information about how to download the definition and engine updates to store on the file share, see
Install the latest Microsoft antimalware and antispyware software.
BACK
>
How to create and deploy antimalware policies for
Endpoint Protection in System Center
Configuration Manager
4/30/2018 • 12 min to read • Edit Online
IMPORTANT
If you create a new antimalware policy and deploy it to a collection, this antimalware policy overrides the default
antimalware policy.
Use the procedures in this topic to create or import antimalware policies and assign them to System Center
Configuration Manager client computers in your hierarchy.
NOTE
Before you perform these procedures, ensure that Configuration Manager is configured for Endpoint Protection as
described in Configuring Endpoint Protection in System Center Configuration Manager.
NOTE
For a list of settings that you can configure, see in this topic.
List of Antimalware Policy Settings
Create a new antimalware policy
1. In the Configuration Manager console, click Assets and Compliance.
2. In the Assets and Compliance workspace, expand Endpoint Protection, and then click Antimalware
Policies.
3. On the Home tab, in the Create group, click Create Antimalware Policy.
4. In the General section of the Create Antimalware Policy dialog box, enter a name and a description
for the policy.
5. In the Create Antimalware Policy dialog box, configure the settings that you require for this
antimalware policy, and then click OK. For a list of settings that you can configure, see List of
Antimalware Policy Settings.
6. Verify that the new antimalware policy is displayed in the Antimalware Policies list.
NOTE
The Deploy option cannot be used with the default client malware policy.
4. In the Select Collection dialog box, select the device collection to which you want to deploy the
antimalware policy, and then click OK.
Enable real-time protection Set to Yes to configure real-time protection settings for
client computers. We recommend that you enable this
setting.
Monitor file and program activity on your computer Set to Yes if you want Endpoint Protection to monitor when
files and programs start to run on client computers and to
alert you about any actions that they perform or actions
taken on them.
Scan system files This setting lets you configure whether incoming, outgoing,
or incoming and outgoing system files are monitored for
malware. For performance reasons, you might have to
change the default value of Scan incoming and outgoing
files if a server has high incoming or outgoing file activity.
Enable behavior monitoring Enable this setting to use computer activity and file data to
detect unknown threats. When this setting is enabled, it
might increase the time required to scan computers for
malware.
Enable protection against network-based exploits Enable this setting to protect computers against known
network exploits by inspecting network traffic and blocking
any suspicious activity.
Enable script scanning For Configuration Manager with no service pack only.
Enable this setting if you want to scan any scripts that run
on computers for suspicious activity.
Block Potentially Unwanted Applications at download Potential Unwanted Applications (PUA) is a threat
and prior to installation classification based on reputation and research-driven
identification. Most commonly, these are unwanted
application bundlers or their bundled applications.
Exclusion Settings
Excluded files and folders:
Click Set to open the Configure File and Folder Exclusions dialog box and specify the names of the files and
folders to exclude from Endpoint Protection scans.
If you want to exclude files and folders that are located on a mapped network drive, specify the name of each
folder in the network drive individually. For example, if a network drive is mapped as F:\MyFolder and it
contains subfolders named Folder1, Folder2 and Folder 3, specify the following exclusions:
F:\MyFolder\Folder1
F:\MyFolder\Folder2
F:\MyFolder\Folder3
Beginning in version 1602 of Configuration Manager, the existing Exclude files and folders setting in
the Exclusion settings section of Endpoint Protection antimalware policy is improved to allow device
exclusions. For example, you can now specify the following as an exclusion: \device\mvfs (for
Multiversion File System). The policy does not validate the device path; the Endpoint Protection policy is
provided to the antimalware engine on the client which must be able to interpret the device string.
Advanced Settings
Enable reparse point scanning - Set to Yes if you want Endpoint Protection to scan NTFS reparse points.
For more information about reparse points, see Reparse Points in the Windows Dev Center.
Randomize the scheduled scan start times (within 30 minutes) - Set to Yes to help avoid flooding the
network, which can occur if all computers send their antimalware scans results to the Configuration Manager
database at the same time. This setting is also useful when you run multiple virtual machines on a single host.
Select this option to reduce the amount of simultaneous disk access for antimalware scanning.
Beginning in version 1602 of Configuration Manager, the antimalware engine may request file samples to be
sent to Microsoft for further analysis. By default, it will always prompt before it sends such samples.
Administrators can now manage the following settings to configure this behavior:
Enable auto sample file submission to help Microsoft determine whether certain detected items are
Malicious - Set to Yes to enable auto sample file submission. By default, this setting is No which means auto
sample file submission is disabled and users will be prompted before sending samples.
Allow users to modify auto sample file submission settings - This setting determines whether a user with
local administrative rights on a device can change the auto sample file submission setting in the client interface.
By default, this setting is "No" which means the settings can only be changed from within the Configuration
Manager console, and local administrators on a device cannot change this configuration.
For example, the following shows the Windows Defender setting in Windows 10 set by the administrator as
enabled, and the user is not allowed to modify it
NOTE
The list of threat names might not be available immediately after the configuration of Endpoint Protection. Wait until the
Endpoint Protection point has synchronized the threat information, and then try again.
When Windows Defender updates - Version of virus and spyware Microsoft uses this information to
virus and spyware protection or definitions ensure the latest virus and spyware
definition files - Virus and spyware protection version updates are present on computers. If
not present, Windows Defender
updates automatically so computer
protection stays up-to-date.
If Windows Defender finds potentially - Name of potentially harmful or Windows Defender uses this
harmful or unwanted software on unwanted software information to determine the type and
computers - How the software was found severity of potentially unwanted
- Any actions that Windows Defender software, and the best action to take.
took to deal with the software Microsoft also uses this information to
- Files affected by the software help improve the accuracy of virus and
- Information about the computer spyware protection.
from the manufacturer (Sysconfig,
SysModel, SysMarker)
Once a month - Virus and spyware definition update Windows Defender uses this
status information to verify that computers
- Status of real-time virus and spyware have the latest virus and spyware
monitoring (on or off ) protection version, and the most
recent virus and spyware definitions.
Microsoft also wants to make sure
that real-time virus and spyware
monitoring is turned on, which is a
critical part of helping protect
computers from potentially harmful or
unwanted software.
During installation, or whenever users List of running processes in your To identify any processes that might
manually perform virus and spyware computer's memory have been compromised by potentially
scan of your computer harmful software.
Microsoft collects only the names of affected files, not the contents of the files themselves. This information
helps determine what systems are especially vulnerable to specific threats.
Definition Updates Settings
Set sources and order for Endpoint Protection client updates - Click Set Source to specify the sources
for definition and scanning engine updates, and to also specify the order in which they are used. If
Configuration Manager is specified as one of the sources, then the other sources are used only if software
updates fail to download the client updates.
If you use any of the following methods to update the definitions on client computers, then the client computers
must be able to access the Internet.
Updates distributed from Microsoft Update
Updates distributed from Microsoft Malware Protection Center
IMPORTANT
Clients download definition updates by using the built-in system account. You must configure a proxy server for this
account to enable these clients to connect to the Internet.
If you have configured a software updates automatic deployment rule to deliver definition updates to client computers,
these updates will be delivered regardless of the definition updates settings.
N E X T STE P
>
BACK
>
Configure Custom Client Settings for Endpoint
Protection
4/30/2018 • 7 min to read • Edit Online
IMPORTANT
Only configure the default Endpoint Protection client settings if you're sure that you want them applied to all computers in
your hierarchy.
IMPORTANT
You must install the Endpoint Protection site system role before you can configure client settings for Endpoint
Protection.
6. Click OK to close the Create Custom Client Device Settings dialog box. The new client settings are
displayed in the Client Settings node of the Administration workspace.
7. Before the custom client settings can be used, you must deploy them to a collection. Select the custom client
settings you want to deploy and then, in the Home tab, in the Client Settings group, click Deploy.
8. In the Select Collection dialog box, choose the collection to which you want to deploy the client settings
and then click OK. The new deployment is shown in the Deployments tab of the details pane.
Client computers will be configured with these settings when they next download client policy. To initiate policy
retrieval for a single client, see the Initiate Policy Retrieval for a Configuration Manager Client section in How to
manage clients in System Center Configuration Manager.
NOTE
The Default Client Antimalware Policy can't be exported.
If you want to install the Endpoint Protection client with the latest definitions, you must download these
from the Microsoft Malware Protection Center.
NOTE
Starting in Configuration Manager 1802, Windows 10 devices do not need to have the Endpoint Protection agent
(SCEPInstall) installed. If it is already installed on Windows 10 devices, Configuration Manager will not remove it.
Administrators can remove the Endpoint Protection agent on Windows 10 devices that are running at least the 1802 client
version. SCEPInstall.exe may still be present in C:\Windows\ccmsetup on some machines but should not be downloaded on
new client installations.
How to Install the Endpoint Protection Client Software on the Reference Computer
You can install the Endpoint Protection client locally on the reference computer from a command prompt. To do so, you must
first obtain the installation file scepinstall.exe. You can also install the client with a preconfigured antimalware policy or with
an antimalware policy that you previously exported.
scepinstall.exe
NOTE
After the Endpoint Protection client installation is completed, the client automatically performs a definition update
check. If this update check succeeds, you don't have to manually install the latest definition update package.
NOTE
After the Endpoint Protection client installation is completed, the client automatically performs a definition update
check. If this update check succeeds, you don't have to manually install the latest definition update package.
Psexec.exe -s -i regedit.exe
IMPORTANT
Use caution while you're running the Registry Editor in this manner; the -s option in PsExec.exe runs the Registry
Editor with LocalSystem privileges.
4. In the Registry Editor, navigate to each of the following registry keys and delete them.
IMPORTANT
You must delete the registry keys as the last step before imaging the reference computer. The registry keys are
recreated when the Endpoint Protection client starts. If you restart the reference computer, you must delete the
registry keys again.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware\InstallTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft
Antimalware\Scan\LastScanRun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft
Antimalware\Scan\LastScanType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft
Antimalware\Scan\LastQuickScanID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft
Antimalware\Scan\LastFullScanID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemovalTools\MRT\GUID
After you complete the preceding steps, you can prepare the reference computer for imaging. For more
information about operating system deployment in Configuration Manager, see Manage operating system images
with System Center Configuration Manager.
When an image that contains the Endpoint Protection client software is deployed, the Endpoint Protection client
will automatically report information to the Configuration Manager site to which the computer is assigned, and
policy applicable to the client computer is downloaded and applied.
Create and deploy Windows Firewall policies for
Endpoint Protection in System Center Configuration
Manager
4/30/2018 • 2 min to read • Edit Online
IMPORTANT
If you want to deploy Windows Firewall policies to computers running Windows Server 2008 and Windows Vista
Service Pack 1, you must first install Hotfix KB971800 on these computers.
NOTE
For more information about network profiles, see the Windows documentation.
NOTE
If Enable Windows Firewall is not enabled, the other settings on this page of the wizard are unavailable.
Block all incoming connections, including those in the list of allowed programs
Notify the user when Windows Firewall blocks a new program
6. On the Summary page of the wizard, review the actions to be taken, and then complete the wizard.
7. Verify that the new Windows Firewall policy is displayed in the Windows Firewall Policies list.
To deploy a Windows Firewall policy
1. In the Configuration Manager console, click Assets and Compliance.
2. In the Assets and Compliance workspace, expand Endpoint Protection, and then click Windows
Firewall Policies.
3. In the Windows Firewall Policies list, select the Windows Firewall policy that you want to deploy.
4. On the Home tab, in the Deployment group, click Deploy.
5. In the Deploy Windows Firewall Policy dialog box, specify the collection to which you want to assign
this Windows Firewall policy, and specify an assignment schedule. The Windows Firewall policy evaluates
for compliance by using this schedule and the Windows Firewall settings on clients to reconfigure to match
the Windows Firewall policy.
6. Click OK to close the Deploy Windows Firewall Policy dialog box and to deploy the Windows Firewall
policy.
IMPORTANT
When you deploy a Windows Firewall policy to a collection, this policy is applied to computers in a random order
over a 2 hour period to avoid flooding the network.
Windows Defender Advanced Threat Protection
4/30/2018 • 3 min to read • Edit Online
IMPORTANT
The Windows Defender ATP configuration file contains sensitive information which should be kept secure.
IMPORTANT
The Windows Defender ATP configuration files contains sensitive information which should be kept secure.
NOTE
Configuration Manager doesn't enable this optional feature by default. You must enable this feature before using it. For more
information, see Enable optional features from updates.
Prerequisites
Managed devices must run Windows 10 1709 Fall Creators Update or later and satisfy the following requirements
depending on the components and rules configured:
Attack Surface Reduction Devices must have Windows Defender AV real-time protection
enabled.
Controlled folder access Devices must have Windows Defender AV real-time protection
enabled.
WARNING
The XML file for exploit protection should be kept secure when transferring it between machines. The file should be
deleted after import or kept in a secure location.
WARNING
The XML file for exploit protection should be kept secure when transferring it between machines. The file should be
deleted after import or kept in a secure location.
Prerequisites
To create and deploy a Windows Defender Application Guard policy, you must use the Windows 10 Fall Creator’s
Update (1709). Also, the Windows 10 devices to which you deploy the policy must be configured with a network
isolation policy. For more information, see the Windows Defender Application Guard overview.
NOTE
Windows 10 PCs store only one network isolation list on the client. You can create two different kinds of network
isolation lists and deploy them to the client:
one from Windows Information Protection
one from Windows Defender Application Guard
If you deploy both policies, these network isolation lists must match. If you deploy lists that don’t match to the same
client, the deployment will fail. For more information, see the Windows Information Protection documentation.
6. When you are finished, complete the wizard, and deploy the policy to one or more Windows 10 1709
devices.
Host interaction settings
Configures interactions between host devices and the Application Guard container. Before Configuration Manager
version 1802, both application behavior and host interaction were under the Settings tab.
Clipboard - Under settings prior to Configuration Manager 1802
Permitted content type
Text
Images
Printing:
Enable printing to XPS
Enable printing to PDF
Enable printing to local printers
Enable printing to network printers
Graphics: (starting with Configuration Manager version 1802)
Virtual graphics processor access
Files: (starting with Configuration Manager version 1802)
Save downloaded files to host
Application behavior settings
Configures application behavior inside the Application Guard session. Before Configuration Manager version
1802, both application behavior and host interaction were under the Settings tab.
Content:
Enterprise sites can load non-enterprise content, such as third-party plug-ins.
Other:
Retain user generated browser data
Audit security events in the isolated application guard session
Next steps
To read more about Windows Defender Application Guard: Windows Defender Application Guard Overview.
Windows Defender Application Guard FAQ.
Manage antimalware policies and firewall settings
4/30/2018 • 4 min to read • Edit Online
TASK DETAILS
Deploy Opens the Select Collection dialog box. Select the collection
to which you want to deploy the antimalware policy, and then
choose OK.
Increase Priority If multiple Windows Firewall policies are deployed to the same
computer, they are applied in order. Use this option to
increase the priority by which the selected Windows Firewall
policy is applied. Use the Order column to view the order in
which the policies are applied.
Decrease Priority If multiple Windows Firewall policies are deployed to the same
computer, they are applied in order. Use this option to
decrease the priority by which the selected Windows Firewall
policy is applied. Use the Order column to view the order in
which the policies are applied.
NOTE
If any of the computers that you select do not have the Endpoint Protection client installed, the on-demand scan option is
unavailable.
NOTE
If any of the computers that you select do not have the Endpoint Protection client installed, the Download Definition
option is unavailable.
NOTE
Use the Endpoint Protection Status node under Security in the Monitoring workspace to discover clients that
have out-of-date definitions.
John reviews the available information about the basic For overview information about Endpoint Protection, see
concepts for Endpoint Protection in Configuration Manager. Endpoint Protection in System Center Configuration Manager.
PROCESS REFERENCE
John reviews and implements the required prerequisites to For information about the prerequisites for Endpoint
use Endpoint Protection. Protection, see Planning for Endpoint Protection.
John installs the Endpoint Protection site system role on one For more information about how to install the Endpoint
site system server only, at the top of the Woodgrove Bank Protection site system role, see "Prerequisites" in Configure
hierarchy. Endpoint Protection.
John configures Configuration Manager to use an SMTP For more information, see Configure alerts in Endpoint
server to send the email alerts. Protection.
John creates a device collection that contains all computers For more information about how to create collections, see
and servers to install the Endpoint Protection client. He names How to create collections in System Center Configuration
this collection All Computers Protected by Endpoint Manager
Protection.
He configures the following alerts for the collection: See "Configure Alerts for Endpoint Protection" in Configuring
Endpoint Protection in System Center Configuration Manager.
1) Malware is detected: John configures an alert severity of
Critical.
The value for Alert Severity indicates the alert level that will
be displayed in the Configuration Manager console and in
alerts that he receives in an email message.
John configures Configuration Manager software updates to For more information, see the "Using Configuration Manager
download and deploy definition updates three times a day by Software Updates to Deliver Definition Updates" section in
using an automatic deployment rule. Use Configuration Manager software updates to deliver
definition updates.
PROCESS REFERENCE
John examines the settings in the default antimalware policy, See How to create and deploy antimalware policies for
which contains recommended security settings from Endpoint Protection in System Center Configuration Manager.
Microsoft. For computers to perform a quick scan every day
to, he changes the following settings:
John creates a collection that contains only the Woodgrove See How to create collections in System Center Configuration
Bank servers named Woodgrove Bank Servers. Manager
John creates a custom antimalware policy named See How to create and deploy antimalware policies for
Woodgrove Bank Server Policy. He adds only the settings Endpoint Protection in System Center Configuration Manager.
for Scheduled scans and makes the following changes:
John deploys the Woodgrove Bank Server Policy custom See "To deploy an antimalware policy to client computers"
antimalware policy to the Woodgrove Bank Servers How to create and deploy antimalware policies for Endpoint
collection. Protection article.
John creates a new set of custom client device settings for For more information, see Configure Custom Client Settings
Endpoint Protection and names these Woodgrove Bank for Endpoint Protection.
Endpoint Protection Settings.
He configures the following settings for Endpoint Protection: For more information, see Configure Custom Client Settings
for Endpoint Protection.
Manage Endpoint Protection client on client computers:
Yes
John deploys the Woodgrove Bank Endpoint Protection See "Configure Custom Client Settings for Endpoint
Settings client settings to the All Computers Protected by Protection" in Configuring Endpoint Protection in
Endpoint Protection collection. Configuration Manager.
John uses the Create Windows Firewall Policy Wizard to create See How to create and deploy Windows Firewall policies for
a policy by configuring the following settings for the domain Endpoint Protection in System Center Configuration Manager
profile:
2)
Notify the user when Windows Firewall blocks a new
program: Yes
John deploys the new firewall policy to the collection All See "To deploy a Windows Firewall policy" in the How to create
Computers Protected by Endpoint Protection that he and deploy Windows Firewall policies for Endpoint Protection
created earlier. in System Center Configuration Manager
John uses the available management tasks for Endpoint See How to manage antimalware policies and firewall settings
Protection to manage antimalware and Windows Firewall for Endpoint Protection in System Center Configuration
policies, perform on-demand scans of computers when Manager
necessary, force computers to download the latest definitions,
and to specify any further actions to take when malware is
detected.
PROCESS REFERENCE
John uses the following methods to monitor the status of See How to monitor Endpoint Protection in System Center
Endpoint Protection and the actions that are taken by Configuration Manager
Endpoint Protection:
John reports a successful implementation of Endpoint Protection to his manager, and confirms that the computers
at Woodgrove Bank are now protected from antimalware, according to the business requirements that he was
given.
Endpoint Protection Client Help
4/30/2018 • 2 min to read • Edit Online
IMPORTANT
You have to exit Internet Explorer to complete these steps. Therefore, print them, write them down, or copy them to another
file, and then bookmark this topic for future access.
NOTE
Resetting these settings in Internet Explorer deletes your temporary files, cookies, browsing history, and your online
passwords. But, your favorites are not deleted.
2. Click Start and search for inetcpl.cpl, and then press Enter.
3. In the Internet Options dialog box, click the Advanced tab.
4. Under the Reset Internet Explorer settings, click Reset, and then click Reset again.
5. Wait until Internet Explorer finishes resetting the settings, and then click OK.
6. Open Internet Explorer.
7. Open Microsoft Security Essentials, click the Update tab, and then click Update.
8. If the issue persists, proceed to the next step.
Step 2: Set Internet Explorer as the default browser
1. Exit all open programs, including Internet Explorer.
2. Click Start and search for inetcpl.cpl, and then press Enter.
3. In the Internet Options dialog box, click the Programs tab.
4. Under Default Web browser, click Make default.
5. Click OK.
6. Open Windows Defender or Endpoint Protection. Click the Update tab, and then click Update.
7. If the issue persists, proceed to the next step.
Step 3: Ensure that the date and time are set correctly on your computer
1. Open Windows Defender or Endpoint Protection.
2. If the error message that you received contains the code 0x80072f8f, the problem is most likely caused by
an incorrect date or time setting on your computer.
3. To reset your computer's date or time setting, follow the steps in Fix broken desktop shortcuts and common
system maintenance tasks (http://go.microsoft.com/fwlink/?LinkId=155579).
Step 4: Rename the Software Distribution folder on your computer
1. Stop the Automatic Updates service
a. Click Start and search for services.msc, and then click OK.
b. Right-click the Automatic Updates service, and then click Stop.
c. Minimize the Services snap-in.
2. Rename the SoftwareDistribution directory as follows:
a. Click Start and search for cmd, and then click OK.
b. Type cd %windir%, and then press Enter.
c. Type ren SoftwareDistribution SDTemp, and then press Enter.
d. Type exit, and then press Enter.
3. Start the Automatic Updates service as follows:
a. Maximize the Services snap-in.
b. Right-click Automatic Updates service, and then click Start.
c. Close the Services snap-in window.
Step 5: Reset the Microsoft antivirus update engine on your computer
1. Click Start and search for cmd, and then click OKand then right-click Command Prompt, and then select
Run as administrator.
2. In the Command Prompt window, type the following commands and press Enter after each command:
Cd\
Cd program files\windows defender
Mpcmdrun -RemoveDefinitions -all
Exit
3. Restart your computer.
4. Open Windows Defender or
Endpoint Protection, click the Update tab, and then click Update.
5. If the issue persists, proceed to the next step.
Step 6: Manually install the virus and spyware definition updates
If you are running a 32-bit Windows operating system, download the latest updates manually at
http://go.microsoft.com/fwlink/?LinkID=87342 (http://go.microsoft.com/fwlink/?LinkID=87342).
If you are running a 64-bit Windows operating system, download the latest updates manually at
http://go.microsoft.com/fwlink/?LinkID=87341 (http://go.microsoft.com/fwlink/?LinkID=87341).
Click Run. The latest updates are manually installed on your computer.
Step 7: Contact Support
If the steps did not resolve the issue, contact support. For more information, see Customer Support
(http://go.microsoft.com/fwlink/?LinkID=196174).
NOTE
Some Internet security applications do not uninstall completely. You may need to download and run a cleanup utility for your
previous security application in order for it to be completely removed.
Cau t i on
When you remove Internet security programs, your computer is unprotected. If you have problems installing
Endpoint Protection after you remove existing Internet security programs, contact Windows Defender or
Endpoint Protection support by submitting a case online (for more information, see How to Submit a Case
Online).
Step 4: Uninstall/reinstall Endpoint Protection
1. Click Start and search for appwiz.cpl, and then press Enter.
2. In the list of installed programs, click Endpoint Protection, and then uninstall it.
3. If prompted, restart your computer, and then try to install Endpoint Protection again.
Symptoms
Installation fails for an unknown reason, or you receive an error message with error code, such as 0x80070643,
0X8007064A, 0x8004FF2E, 0x8004FF01, 0x8004FF07, 0x80070002, 0x8007064C, 0x8004FF00, 0x80070001,
0x80070656, 0x8004FF40, 0xC0000156, 0x8004FF41 0x8004FF0B, 0x8004FF11, 0x80240022, 0x8004FF04,
0x80070660, 0x800106B5, 0x80070715, 0x80070005, 0x8004EE00, 0x8007003, 0x800B0100, 0x8007064E, or
0x8007007E.
If your computer is running Windows XP Service Pack 2 (SP2), you might see one or more of the following error
messages:
Installation Wizard is missing a filter manager rollup package needed to complete the installation.
KB914882 Setup Error, Setup cannot update your Windows XP files because the language installed on your
system is different from the update language.
Cause
Endpoint Protection cannot be installed on a computer that is running other security programs. Sometimes,
even if you remove other security programs, they do not completely uninstall. You must be running a
genuine version of the Windows operating system to install Endpoint Protection.
Solution
IMPORTANT
You will need to restart your computer while resolving this issue. Bookmark this page (mark it as a Favorite) to make it easier
to find this topic again or print it for easy reference.
NOTE
There is no indication that this command has succeeded or failed.
6. Install Endpoint Protection again. If this does not resolve the issue, continue to the next step.
Step 3: Start Windows in Selective Startup mode
1. Click Start and search for msconfig, and then press Enter.
2. On the General tab, click Selective Startup, and then clear the Load Startup Items check box.
3. On the Services tab, select the Hide All Microsoft Services check box, and then clear all the check boxes
for the services that remain in the list.
4. Click OK, and then click Restart to restart the computer.
5. Try to install Endpoint Protection again.
See also
Endpoint Protection client frequently asked questions
Endpoint Protection Client Help
Endpoint Protection client frequently asked questions
4/30/2018 • 18 min to read • Edit Online
Using the real-time protection option, Windows Defender monitors your computer all the time and checks
for any malicious files or programs that you may have downloaded. This monitoring feature means that
Windows Defender doesn't need to slow down your browsing or e-mail experience by requiring a check of
any files or programs you may want to download.|
|Monitor file and program activity on your computer|This option monitors when files and programs start
running on your computer, and then it alerts you about any actions they perform and actions taken on
them. This is important, because malicious software can use vulnerabilities in programs that you have
installed to run malicious or unwanted software without your knowledge. For example, spyware can run
itself in the background when you start a program that you frequently use. Windows Defender monitors
your programs and alerts you if it detects suspicious activity.|
|Enable behavior monitoring|This option monitors collections of behavior for suspicious patterns that might
not be detected by traditional antivirus detection methods.|
|Enable Network Inspection System|This option helps protect your computer against "zero day" exploits of
known vulnerabilities, decreasing the window of time between the moment a vulnerability is discovered
and an update is applied.|
Scanning options - You can use Windows Defender to scan for potential threats, such as viruses, spyware,
and other malicious software that might put your computer at risk. You can also use it to schedule scans on
a regular basis and to remove malicious software that is detected during a scan.
Microsoft Active Protection Service community - The online Microsoft Active Protection Service
community helps you see how other people respond to software that has not yet been classified for risks.
You can use this information to help you choose whether to allow this software on your computer. In turn, if
you participate, your choices are added to the community ratings to help other people decide what to do.
NOTE
During computer cleanup, whenever possible, Windows Defender removes only the infected part of a file, not the entire file.
What is a virus?
Computer viruses are software programs deliberately designed to interfere with computer operation, to record,
corrupt, or delete data, or to infect other computers throughout the Internet. Viruses often slow things down and
cause other problems in the process.
What is spyware?
Spyware is software that can install itself or run on your computer without getting your consent or providing you
with adequate notice or control. Spyware might not display symptoms after it infects your computer, but many
malicious or unwanted programs can affect how your computer runs. For example, spyware can monitor your
online behavior or collect information about you (including information that can identify you or other sensitive
information), change settings on your computer, or cause your computer to run slowly.
Scan all downloads This option monitors files and programs that are downloaded,
including files that are automatically downloaded via Windows
Internet Explorer and Microsoft Outlook® Express, such as
ActiveX® controls and software installation programs. These
files can be downloaded, installed, or run by the browser itself.
Malicious software, including viruses, spyware, and other
potentially unwanted software, can be included with these
files and installed without your knowledge.
Monitor file and program activity on your computer This option monitors when files and programs start running
on your computer, and then it alerts you about any actions
they perform and actions taken on them. This is important,
because malicious software can use vulnerabilities in programs
that you have installed to run malicious or unwanted software
without your knowledge. For example, spyware can run itself
in the background when you start a program that you
frequently use. Windows Defender monitors your programs
and alerts you if it detects suspicious activity.
Enable behavior monitoring This option monitors collections of behavior for suspicious
patterns that might not be detected by traditional antivirus
detection methods.
Enable Network Inspection System This option helps protect your computer against “zero
day†exploits of known vulnerabilities, decreasing the
window of time between the moment a vulnerability is
discovered and an update is applied.
TIP
If you don't see the Windows Defender icon in the notification area, click the arrow in the notification area to show hidden
icons, including the Windows Defender icon.
Introduction
Device Guard is a group of Windows 10 features that are designed to protect PCs against malware and other
untrusted software. It prevents malicious code from running by ensuring that only approved code, that you know,
can be run.
Device Guard encompasses both software and hardware-based security functionality. Windows Defender
Application Control is a software-based security layer that enforces an explicit list of software that is allowed to run
on a PC. On its own, Application Control does not have any hardware or firmware prerequisites. Application
Control policies deployed with Configuration Manager enable a policy on PCs in targeted collections that meet the
minimum Windows version and SKU requirements outlined in this article. Optionally, hypervisor-based protection
of Application Control policies deployed through Configuration Manager can be enabled through Group Policy on
capable hardware.
To learn more about Device Guard, read the Device Guard deployment guide.
NOTE
Beginning with Windows 10, version 1709, configurable code integrity policies are known as Windows Defender Application
Control.
TIP
In this version of Configuration Manager, Device Guard is a pre-release feature. To enable it, see Pre-release features in
System Center Configuration Manager.
IMPORTANT
These items do not include any software that is not built-into Windows that automatically updates from the internet or third-
party software updates whether they are installed via any of the update mechanisms mentioned previously, or from the
internet. Only software changes that are deployed though the Configuration Manager client can run.
IMPORTANT
The inclusion of trusted files or folders is only supported on client PCs running version 1706 or later of the Configuration
Manager client. If any inclusion rules are included in a Windows Defender Application Control policy and the policy is then
deployed to a client PC running an earlier version on the Configuration Manager client, the policy will fail to be applied.
Upgrading these older clients will resolve this issue. Policies that do not include any inclusion rules may still be applied on
older versions of the Configuration Manager client.
NOTE
If you deploy multiple company resource access profiles to the same user, the following behavior occurs:
If a conflicting setting contains an optional value, it will not be sent to the device.
If a conflicting setting contains a mandatory value, the default value will be sent to the device. If there is no
default value, the entire company resource access profile will fail. For example, if you deploy two email profiles to
the same user and the values specified for Exchange ActiveSync host or Email address are different, then both
email profiles will fail as they are mandatory settings.
Before you can deploy certificate profiles, you must first configure the infrastructure and create certificate profiles.
For more information, see the following topics:
Configuring certificate infrastructure in System Center Configuration Manager
How to create certificate profiles in System Center Configuration Manager
IMPORTANT
When a VPN profile deployment is removed, it is not removed from client devices. If you want to remove the profile from
devices, you must manually remove it.
Deploying profiles
1. In the System Center Configuration Manager console, choose Assets and Compliance.
2. In the Assets and Compliance workspace, expand Compliance Settings, expand Company Resource
Access, and then choose the appropriate profile type, such as Wi-Fi Profiles.
3. In the list of profiles, select the profile that you want to deploy, and then in the Home tab, in the
Deployment group, click Deploy.
4. In the deploy profile dialog box, specify the following information:
Collection - Click Browse to select the collection where you want to deploy the profile.
Generate an alert - Enable this option to configure an alert that is generated if the profile
compliance is less than a specified percentage by a specified date and time. You can also specify
whether you want an alert to be sent to System Center Operations Manager.
Random delay (hours): (Only for certificate profiles that contain Simple Certificate Enrollment
Protocol settings) Specifies a delay window to avoid excessive processing on the Network Device
Enrollment Service. The default value is 64 hours.
Specify the compliance evaluation schedule for this profile - Specify the schedule by which
the deployed profile is evaluated on client computers. The schedule can be either a simple or a
custom schedule.
NOTE
The profile is evaluated by client computers when the user logs on.
NOTE
Configuration Manager doesn't enable this optional feature by default. You must enable this feature before using it. For more
information, see Enable optional features from updates.
Configuration Manager integrates with Windows Hello for Business in two ways:
You can use Configuration Manager to control which gestures users can and cannot use to sign in.
You can store authentication certificates in the Windows Hello for Business key storage provider (KSP ). For
more information, see Certificate profiles.
You can deploy Windows Hello for Business policies to domain-joined Windows 10 devices that run the
Configuration Manager client. This configuration is described in the Configure Windows Hello for Business
on domain-joined Windows 10 devices section. When you use Configuration Manager with Microsoft
Intune (hybrid), you can configure these settings on Windows 10, and Windows 10 Mobile devices. For
more information, see Configure Windows Hello for Business settings (hybrid).
WARNING
While the hotfix is not required for Configuration Manager 1610 and Windows 10 Anniversary Update, it may be installed. If
the hotfix is installed, you need to configure permissions and apply Windows Server 2016 schema to Active Directory.
To configure permissions
1. Sign in to a domain controller or management workstations with Domain Admin, or equivalent credentials.
2. Open Active Directory Users and Computers.
3. From the navigation pane, right-click your domain name, and then click Properties.
4. On the Security tab of the Properties dialog box, click Advanced. If the Security tab is not displayed, turn on
Advanced Features from the View menu of Active Directory Users and Computers.
5. Click Add.
6. In the Permission Entry for dialog box, click Select a principal.
7. In the Select User, Computer, Service Account, or Group dialog box, type Key Admins in the Enter the
object name to select text box. Click OK.
8. From the Applies to list, select Descendant User objects.
9. Scroll to the bottom of the page and click Clear all.
10. In the Properties section, select Read msDS -KeyCredentialLink.
11. Click OK three times to complete the task.
Next steps
For more information, see Certificate profiles.
Add Terms and Conditions with System Center
Configuration Manager
4/30/2018 • 4 min to read • Edit Online
NOTE
If you deploy a set of terms to multiple user collections to which a user belongs, that user will see multiple copies of
identical terms when opening Company Portal. Since users can only accept or decline all terms, there is no danger of
being in an ambiguous acceptance state where the user has both accepted and rejected the terms. The Terms and
Conditions acceptance report will include only one row for each set of terms for each user, so there is no error in the
report.
IMPORTANT
A profile is not evaluated if it is not applicable on a client device; however, it is returned as compliant.
Error: Displays a list of all errors for the selected profile deployment that is based on the number of
affected assets. You can double-click a rule to create a temporary node under the Users node of the
Assets and Compliance workspace, which contains all users that generated errors with this profile.
When you select a user, the Asset Details pane displays the users that are affected by the selected
issue. Double-click a user in the list to display additional information about the issue.
Non-Compliant: Displays a list of all noncompliant rules within the profile that is based on the
number of affected assets. You can double-click a rule to create a temporary node under the Users
node of the Assets and Compliance workspace, which contains all users that are not compliant with
this profile. When you select a user, the Asset Details pane displays the users that are affected by the
selected issue. Double-click a user in the list to display further information about the issue.
Unknown: Displays a list of all users that did not report compliance for the selected profile
deployment together with the current client status of the devices.
5. On the Deployment Status page, you can review detailed information about the compliance of the
deployed profile. A temporary node is created under the Deployments node that helps you find this
information again quickly.
IMPORTANT
You must use a wildcard (%) character when you use the parameters Device filter and User filter in the compliance settings
reports.
For more information about how to configure reporting in System Center Configuration Manager, see Reporting
in System Center Configuration Manager.
How to monitor certificate profiles in System Center
Configuration Manager
4/30/2018 • 3 min to read • Edit Online
IMPORTANT
A certificate profile is not evaluated if it is not applicable on a client device. However, it is returned as
compliant.
Error: Displays a list of all errors for the selected certificate profile deployment based on the number
of assets that are affected. You can double-click a rule to create a temporary node under the Users
node of the Assets and Compliance workspace. This node contains all users that generated errors
with this profile. When you select a user, the Asset Details pane displays the users that are affected
by the selected issue. Double-click a user in the list to display for more information.
Non-Compliant: Displays a list of all noncompliant rules within the certificate profile based on the
number of assets that are affected. You can double-click a rule to create a temporary node under the
Users node of the Assets and Compliance workspace. This node contains all users that are not
compliant with this profile. When you select a user, the Asset Details pane displays the users that are
affected by the selected issue. Double-click a user in the list to display further information about the
issue.
Unknown: Displays a list of all users that did not report compliance for the selected certificate
profile deployment together with the current client status of the devices.
4. On the Deployment Status page, review detailed information about the compliance of the deployed
certificate profile. A temporary node is created under the Deployments node that helps you find this
information again quickly.
The enrollment status of the certificate is displayed as a number. Use the following table to understand what
each number means:
0x00000040 The status information has been skipped. This can occur if
a HYPERLINK
"http://msdn.microsoft.com/windows/ms721572" \l
"_security_certification_authority_gly" certification
authority is not valid or has not been selected for
monitoring.
IMPORTANT
You must use a wildcard (%) character when you use the parameters Device filter and User filter in the reports for
compliance settings.
To monitor SCEP certificate compliance use these certificate reports under the report node Company Resource
Access:
Certificate issuance history
List of assets with certificates nearing expiry
List of assets by certificate issuance status
For more information about how to configure reporting in System Center Configuration Manager, see Reporting
in System Center Configuration Manager.
How to monitor Endpoint Protection status
4/30/2018 • 3 min to read • Edit Online
IMPORTANT
Collections are available for selection in the following cases:
When you select View this collection in the Endpoint Protection dashboard on the Alerts tab of the
<collection name>Properties dialog box.
When you deploy an Endpoint Protection antimalware policy to the collection.
When you enable and deploy Endpoint Protection client settings to the collection.
4. Review the information that is displayed in the Security State and Operational State sections. You can
click any status link to create a temporary collection in the Devices node in the Assets and Compliance
workspace. The temporary collection contains the computers with the selected status.
IMPORTANT
Information that is displayed in the Endpoint Protection Status node is based on the last data that was
summarized from the Configuration Manager database and might not be current. If you want to retrieve the latest
data, on the Home tab, click Run Summarization, or click Schedule Summarization to adjust the summarization
interval.
Top Users By Threats Displays a list of users with the most number of detected
threats.
User Threat List Displays a list of threats that were found for a specified user
account.