SCEP works on a wide range of Microsoft operating systems and almost any flavor of Windows run by a modernized organization. The quick rule of thumb is: if the system can handle an SCCM 2012 client (Windows XP SP2 for x64 and SP3 for x86, or above), it can run the SCEP client. It is essential to identify any legacy systems that will not support SCEP and plan accordingly.
Although SCEP does a great job of removing a competitive AV client before it installs itself, it's a good idea to make sure that your current AV is not going to impede the installation of SCEP in any way.
This recipe contains a series of questions that will assist you in determining your level of preparedness before deploying SCEP. As mentioned in Chapter 2, Planning and Rolling Installation, if your systems already have an SCCM 2012 client installed, then they already have the installation media for SCEP on their hard drive. What we are preparing to do here is, effectively, just flipping the switch on the install.
To complete this recipe, you should be familiar with your current AV and its policy configuration. In remediating any shortcomings that you may identify, you will likely need administrator level access to your current AV's management console and SCCM.
By working through each of the following items, important preparation tasks will be identified:
- Do the workstations to which you are deploying SCEP have an SCCM 2012 client installed on them? If not, will they support an SCCM 2012 client?
- Is your current AV solution one of the following?
- Symantec Endpoint Protection Planning and Rolling Installation Version 11
- Symantec Endpoint Protection Small Business Edition Version 12
- Symantec Corporate Edition Version 10
- McAfee Virus Scan Enterprise Version 8.5, Version 8.7, and its agent
- Forefront Client Security Version 1 and the Operations Manager agent
- Trend Micro Office Scan Version 8 and Version 10
- All current Microsoft anti-malware products except for Windows Intune and Microsoft Security Essentials
- If not, reach out to your vendor's technical support to acquire an uninstallation tool
- If the current AV is one of the products that is supported for automatic removal, does your current policy enforce tamper proofing? For example, Symantec can require a password for uninstallation, or McAfee EPO can enforce reinstallation if its client is removed.
- Are you utilizing a Firewall provided by your current AV vendor?
The items in the preceding recipe are designed to help you identify any potential pitfalls to a successful SCEP deployment.
The first item is meant for you to consider the proliferation of SCCM 2012 to your deployment targets. It's okay to deploy the SCCM 2012 client software and SCEP at the same time. The thing to consider is that if a machine must support SCCM 2012 to utilize SCEP, older systems, such as Windows 2000 and Windows XP SP 2 or below, will need to be either upgraded or phased out. If neither of these options is feasible, it is recommended that you reach out to your Microsoft sales person and acquire licenses for Forefront Client Security, the predecessor to FEP and SCEP. FCS is still supported (as of the writing of this book) and will work on most legacy systems.
If your current AV is one of the products listed in second item, then your removal procedures will be a snap. If not, it's going to be more difficult. The best thing to do is reach out to your current vendor and ask for a removal tool (VBS script, EXE, bat file, and so on). They should have such a tool to share with you, though keep in mind that for security purposes, vendors typically don't make removal tools available through their website. Once you've got the tool, you should run some trials to ensure its effectiveness. If it functions as advertised, you'll need to build a custom SCEP deployment method, which will be discussed later in the book.
Most corporate AV solutions have some kind of tamper protection to keep users or malicious processes from removing it easily. You'll want to make sure these protections are lifted before deploying SCEP. A good best practice is to remove tamper protection for only a subset of computers to which you're planning to deploy SCEP in the near future, rather than lifting the tamper protection for every PC in your company all at once.
The fourth item asks if you are currently using an Endpoint firewall that is part of your overall anti-virus solution. SCEP is designed to utilize the Windows Firewall with Advanced Security. If you are using a Firewall solution from Symantec, for example, you will need to plan on implementing the Windows Firewall to replace its functionality. Any custom exclusion you've made to the Symantec Endpoint Firewall would need to be added to the Windows Firewall policy. The best way to administer your Windows Firewalls is through Group Policy Objects.