The title of this section refers to an SCCM client's default settings that pertain to SCEP. These settings cover things, such as the installation of SCEP clients, and whether the existing AV client will be removed to make way for SCEP. Keep in mind, this is different from your default SCEP policy, which controls things such as scan times and custom exclusions.
One important thing to remember is that the baseline Default Client Settings policy will be enforced on every system in your SCCM environment, so exercise caution when modifying this policy. Let's say, for example, that you were to change the Install Endpoint Protection client on client computers setting to True. This would result in SCEP being automatically installed on every computer on your network with an SCCM 2012 client. For this reason, this recipe will walk you through the process of creating a Custom Client Device Settings policy and enforcing it on a collection for just a subset of your systems.
To complete this recipe, you will need a user account with full SCCM administration privileges. Default Client Settings do not fall under the purview of the Endpoint Protection Administrator role assignment. If your intention is to deploy SCEP to a limited number of test systems, it is recommended that you create a custom collection containing the target systems before going through this recipe.
Follow these steps:
- Log into the CAS server and open the Configuration Manager Console.
- Navigate to the Administration workspace, open the Client Settings object, and click on the Create Custom Client Device Settings button at the top left-hand side of the user interface. The Create Custom Client Device Settings window should appear like the following screenshot:
- To begin modifying the policy, provide a Name and Description, then select Endpoint Protection from the list of options, and then select Endpoint Protection from the column on the left-hand side pane.
- You should now be able to view the Custom Device Settings window for Endpoint Protection. Change the Manage Endpoint Protection client on client computers setting to True. Refer to the following screenshot:
- Leave the other settings as they are and click on OK to close the wizard. The Custom Device Settings policy you just created should now be viewable beneath the original Default Client Settings policy.
- Right-click on the new policy that you created and select Deploy. From the list of collections, select the collection to which you want this policy to apply and click on OK. Refer to the following screenshot:
The settings we've been modifying in this recipe are all related to the deployment of the SCEP client and will take effect whenever a computer is migrated from SCCM 2007 to SCCM 2012, or when the SCCM client is installed for the first time. It's important to note that deployment of the SCEP client is very different procedurally from previous versions. Any system that receives the SCCM 2012 client will receive the installation media or bits for SCEP, which are bundled with the SCCM client.
Modifying the Custom Device Settings option for Install Endpoint Protection client on client computers to True basically equates to flipping a switch on the target computer to use the installation media it already has.
The option for Disable alternate sources for initial definition update on client computers directly addresses an issue with deploying FEPs (the previous version) client to a large mass of computers simultaneously that could cause network saturation. This was caused by many clients reaching out to any available source to get their initial definition file (which is very large in size, 70 to 80 MB) at the same time. This setting will force all your new clients to get their first definition file as an SCCM package, thereby allowing you to control the flow of data and leverage all of SCCM's package delivery capabilities.
Just make sure that if you're going to make use of this option, you have set up a definition delivery package ahead of time (which is covered in Chapter 2, Planning and rolling information, of this book). Otherwise, you could have freshly-installed SCEP clients sitting out there with no definitions and therefore, unprotected.