One of the biggest differences between SCEP and its predecessor FEP is the way in which the clients are deployed. FEP clients were deployed using an SCCM 2007 software package and an advertisement. While the system of software packages and advertisements persists in SCCM 2012, it is not used at all to deploy SCEP clients.
Instead, Microsoft has bundled the SCEP client within the SCCM 2012 client. The SCCM client agent settings determine whether or not a client PC is running SCEP. Changing the Endpoint Protection settings in the options for Client Agents essentially amounts to flipping a switch that tells a targeted computer to go ahead and use the SCEP client it already has.
In previous versions of SCCM, it was possible to have one set of client agent settings; in SCCM 2012, you can now have multiple sets of client settings and limit them to a given collection. So rather than modifying the default client settings policy, and thereby, deploying SCEP to every system with an SCCM 2012 client, we will be using a custom client settings policy and limiting our initial SCEP deployment to a smaller subset of PCs.
This is commonly referred to as a pilot deployment. Limiting the number of PCs to which we initially deploy SCEP will help you verify your deployment plan and to identify any issues with SCEP running on your organization's computers. It is always a best practice for a pilot to select a group of workstations and servers that represent a good cross section of your organization's overall user base.
To complete this recipe, you will need to be using an account which has full SCCM admin privileges. It's also recommended that you've identified which PCs and servers will be in the pilot group and that you've placed them together in an SCCM collection.
Follow these steps:
- Log into your SCCM CAS server and launch the SCCM 2012 management console.
- Navigate to
Administration|Overview|Client Settings. - Click on the Create Custom Client Device Settings button at the top of the interface.
- The Create Custom Client Device Settings window will pop up; enter a Name and check the box next to Endpoint Protection, as shown in the following screenshot:
- Next, select Endpoint Protection from the menu on the left-hand side. The screen displays all of the Custom Device Settings that apply to SCEP, as shown in the following screenshot:
- Change the value for Manage Endpoint Protection client on client computers from False to True.
- This should cause all of the True or False options in this window to switch to True. If for some reason, this does not happen, set them all to True manually.
- Click on OK to close the window, and your new custom client settings policy should be added to the list of client settings. Refer to the following screenshot:
- Now it's time to deploy the client settings policy that we just created. To do this, right-click on the new policy and select Deploy.
- The Select Collection window will pop up. Search through the list of collections and find the collection you created for this pilot. Click on OK to close the window.
As the default setting in the default client settings policy is False for the option to enable SCEP, you must either change this setting to True (which will take effect for every SCCM client on your network) or create a custom client settings policy that enables SCEP.
As client settings policies are cumulative, any settings you've customized in the default policy will also go into effect. Only PCs that are a part of the pilot systems collection will receive the additional settings you enabled in the custom policy. SCCM uses a system of precedence for client settings policies, in which the policies with a numerically lower value win out over client settings policies with higher numerical value for priority. The default client settings policy has a priority value of 10,000 and the new policy we created in this recipe has a value of 1, meaning if there are any conflicting settings, the new custom policy gets its way.
As the installation media or bits for the SCEP client is bundled with the SCCM 2012 client, we will not need to push any other software to the systems in the pilot group.
If the pilot is successful (which I'm sure it will be), and you've made the decision to go production-wide with your SCEP deployment, all that you will need to do is modify the default client settings policies settings for SCEP just as we did in this recipe.