The creation of anti-virus policies is probably the most critical task that any AV administrator is charged with. If the policy is too restrictive, then computers, and in turn, the end users, will be negatively impacted. Conversely, if the AV policy is too lenient, your computers will have an increased risk of becoming infected by malware.
Fortunately, SCEP provides many tools to make this constant balancing act a little easier for administrators. This recipe will guide you through the process of creating and modifying a SCEP policy for an average laptop user, who works with both while connected to the corporate and remote networks respectively.
The policy presented in this recipe is meant to serve as a reference, although the level of protection it offers is balanced with a minimal impact on the client PC, it should not be taken as list of best practice settings for every organization. Your corporate security standards may dictate that you adhere to a different level of protection.
To complete this recipe, you will need a user account with at least SCEP administrator role privileges.
Follow these steps:
- Log into the CAS server and open the Configuration Manager Console.
- Navigate to the Assets and Compliance workspace, open the Endpoint Protection object, and select Antimalware Polices. At the top left-hand side of the user interface, there is a button that reads Create Antimalware Policy; select it to launch the policy creation wizard. Refer to the following screenshot:
- Begin by giving the policy Name and Description, then select Scheduled scans from the left-hand side column.
- Change the Scan Type option from Quick scan to Full scan, and then change the Limit CPU usage during scan to (%) option to 30.
- Click Scan settings in the left-hand side column and change the settings for both Scan email and email attachments and Scan removable storage devices such as USB drives from False to True.
- Next, click Advanced from the left-hand column and change the setting for Show notification messages from False to True.
- Select Microsoft Active Protection Service from the left-hand side column and change the Microsoft Active Protection Service membership type option from I do not want to join to Basic Membership.
- Now, select Definition Updates from the left-hand side and click on the button labeled Select Source, after which the Configure Definition Update Sources window should appear.
- Make sure that Updates distributed from Configuration Manager and Updates distributed from Microsoft Update are both selected. Click on OK to close the window, as shown in the following screenshot:
- To deploy the policy, right-click on the policy you just created and select Deploy.
- The Select Collection window should pop up; choose the collection to which you wish to apply this policy and click on OK.
SCEP policies play a vital role in ensuring that your SCEP clients are both effectively protecting your systems from malware and, at the same time, maintaining an optimal level of performance. One of the biggest advantages to having an anti-malware solution that's tightly integrated with SCCM is that it allows you to effortlessly manage the deployment of AV polices. Once you've built a policy and deployed it to a collection, you can be certain that all the systems in that collection will receive the policy in short order.
In addition to the aspects of SCEP policies that are discussed in the recipe, below is some additional information on SCEP policies that will be useful to you.
As an SCEP client will undoubtedly be a member of multiple collections within SCCM and you may have different SCEP policies assigned to these collections, it is necessary to implement a system of
policy precedence. SCEP policy precedence can be modified by navigating to Assets and ComplianceOverviewEndpoint ProtectionAntimalware Policies and right-clicking on a policy to either increase or decrease its priority.
Refer to the following screenshot:
One of the most beloved features of the previous version of SCEP (Forefront Endpoint Protection) was the use of server policy templates. Microsoft wisely adapted all of its best practices for OS-level anti-virus running on its major application servers (Exchange, SQL, SharePoint, and so on) into a set of preconfigured FEP policies that you could select from a simple drop-down menu.
At first glance, it might seem as if this feature has been removed in SCEP, but while the process is no longer as simple as selecting a preset policy from a drop-down menu, the policy templates for servers are still included with SCEP.
To utilize them, simply click on the
Import button at the top of the screen in the Assets and ComplianceOverviewEndpoint ProtectionAntimalware Polices. It should automatically take you to the folder location where policy templates are stored. If you do not see the list of policy template XML files, navigate to %instaldir%Microsoft Configuration ManagerAdminConsoleXmlStorageEPTemplates; this is their default folder location.