The creation of anti-virus policies is probably the most critical task that any AV administrator is charged with. If the policy is too restrictive, then computers, and in turn, the end users, will be negatively impacted. Conversely, if the AV policy is too lenient, your computers will have an increased risk of becoming infected by malware.
Fortunately, SCEP provides many tools to make this constant balancing act a little easier for administrators. This recipe will guide you through the process of creating and modifying a SCEP policy for an average laptop user, who works with both while connected to the corporate and remote networks respectively.
The policy presented in this recipe is meant to serve as a reference, although the level of protection it offers is balanced with a minimal impact on the client PC, it should not be taken as list of best practice settings for every organization. Your corporate security standards may dictate that you adhere to a different level of protection.
To complete this recipe, you will need a user account with at least SCEP administrator role privileges.
Follow these steps:
SCEP policies play a vital role in ensuring that your SCEP clients are both effectively protecting your systems from malware and, at the same time, maintaining an optimal level of performance. One of the biggest advantages to having an anti-malware solution that's tightly integrated with SCCM is that it allows you to effortlessly manage the deployment of AV polices. Once you've built a policy and deployed it to a collection, you can be certain that all the systems in that collection will receive the policy in short order.
In addition to the aspects of SCEP policies that are discussed in the recipe, below is some additional information on SCEP policies that will be useful to you.
As an SCEP client will undoubtedly be a member of multiple collections within SCCM and you may have different SCEP policies assigned to these collections, it is necessary to implement a system of
policy precedence. SCEP policy precedence can be modified by navigating to Assets and ComplianceOverviewEndpoint ProtectionAntimalware Policies
and right-clicking on a policy to either increase or decrease its priority.
Refer to the following screenshot:
One of the most beloved features of the previous version of SCEP (Forefront Endpoint Protection) was the use of server policy templates. Microsoft wisely adapted all of its best practices for OS-level anti-virus running on its major application servers (Exchange, SQL, SharePoint, and so on) into a set of preconfigured FEP policies that you could select from a simple drop-down menu.
At first glance, it might seem as if this feature has been removed in SCEP, but while the process is no longer as simple as selecting a preset policy from a drop-down menu, the policy templates for servers are still included with SCEP.
To utilize them, simply click on the
Import button at the top of the screen in the Assets and ComplianceOverviewEndpoint ProtectionAntimalware Polices
. It should automatically take you to the folder location where policy templates are stored. If you do not see the list of policy template XML files, navigate to %instaldir%Microsoft Configuration ManagerAdminConsoleXmlStorageEPTemplates
; this is their default folder location.