Managing System Center Endpoint Protection (SCEP, EPP (aka Antivirus)) policies via Group Policy

Disclaimer: The views expressed in my posts on this site are mine & mine alone & don’t necessarily reflect the views of Microsoft. All posts are provided “AS IS” with no warranties & confers no rights. If I post any code, scripts or demos, they are provided for the purpose of illustration & are not intended to be used in a production environment. They are provided ‘as is’ without warranty of any kind, expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose. I grant you a nonexclusive, royalty-free right to use & modify my sample code & to reproduce & distribute the object code form of the sample code, provided that you agree: (i) to not use my name, my companies name, logo, or trademarks to market your software product in which the sample code is embedded; (ii) to include a valid copyright notice on your software product in which the sample code is embedded; and (iii) to indemnify, hold harmless, and defend me, Microsoft & our suppliers from & against any claims or lawsuits, including attorneys’ fees, that arise or result from the use or distribution of the sample code.

Updated: N/A

Published: Mar. 19th, 2020

Applies to:

Systems with Microsoft Defender Advanced Threat Protection (MDATP)

and are using:

System Center Configuration Manager (SCCM) Current Branch (CB)

System Center Endpoint Protection (SCEP) (AV, EPP) for these OS’es:

  • Windows Server 2012 R2
  • Windows 8.1
  • Windows Server 2012
  • Windows 8
  • Windows Server 2008 R2 SP1
  • Windows 7 SP1
  • Windows Server 2008 SP2
  • Windows Vista

Does not apply to:

Microsoft Defender Antivirus (MDAV formerly known as Windows Defender Antivirus (WDAV)) (AV, EPP) for these OS’es:

  • Windows Server 2019
  • Windows Server 2016
  • Windows 10

[Update 8/6/2020]   Now officially available:

Use Group Policy settings to manage Endpoint Protection in previous versions of Windows
https://docs.microsoft.com/en-us/mem/configmgr/protect/deploy-use/endpoint-protection-group-policies

From time to time, we get asked the question, we have some down-level (legacy) Windows and/or Windows Servers that are not managed via SCCM yet.

Scenario:

    • DMZ
    • Merger(s) and Acquisition(s) (M&A)

If you had these systems managed via SCCM, you would go through:

SCCM-Endpoint Protection: Windows client: MDAV and SCEP antimalware policies best practices(Part 8).
https://yongrhee.wordpress.com/2020/02/22/sccm-endpoint-protection-windows-client-mdav-and-scep-antimalware-policies-best-practicespart-8/

SCCM-Endpoint Protection: Windows server: MDAV and SCEP antimalware policies best practices(Part 9)
https://yongrhee.wordpress.com/2020/02/22/sccm-endpoint-protection-windows-server-mdav-and-scep-antimalware-policies-best-practicespart-9/

Question becomes, how do you manage the AV policies for SCEP based systems?

In Windows 10, Windows Server 2016, and Windows Server 2019, you could just use the Group Policy (GPO) here:

Computer Configuration –> Administrative Templates –> Windows Components –> Windows Defender Antivirus

Note:  The corresponding registry keys are in Hkey_Local_Machine > Software > Policies > Microsoft > Windows Defender

In Windows Server 2012 R2, Windows 8.1, Windows Server 2012, Windows 8, Windows Server 2008 R2 SP1, Windows 7 SP1, Windows Server 2008 SP2, Windows Vista, you could use the Group Policy (GPO) here:

Computer Configuration –> Administrative Templates –> Windows Components –> Endpoint Protection

Note:  The corresponding registry keys are in Hkey_Local_Machine > Software > Policies > Microsoft > Microsoft Antimalware

So how do you get “Endpoint Protection”?

On a Windows 7 SP1 system that is managed by SCCM client.

SCEP_gpo

Go to c:\Program Files\Microsoft Security Client\Admx

Zip it up e.g. SCEP_admx.zip

Copy the SCEP_admx.zip folder to your local system or to a Domain Controller.

e.g  C:\temp_SCEP_GPO_admx

SCEP_gpo_2

Extract it.

Option 1) Loading the SCEP policy on a Central Repository on a Domain Controller. (Preferred)

Copy it to \\DC\SYSVOL\Contoso.com\Policies\policydefinitions

Note:  Where DC is one of the names of your DC’s, and Contoso.com is the name of your domain.

SCEP_gpo_6

Open GPMC

SCEP_gpo_7

Computer Configuration –> Administrative Templates –> Windows Components –> Endpoint Protection

Go ahead and configure the group policies as you need them to…

Option 2) Loading the SCEP policy on your local system. (Alternative)

Copy it to c:\windows\policydefinitions

SCEP_gpo_4

Now open GPEdit.msc

SCEP_gpo_5

Computer Configuration –> Administrative Templates –> Windows Components –> Endpoint Protection

Go ahead and configure the group policies as you need them to…

I hope this information helps.

Thanks,

Yong

Twitter:  @YongRheeMSFT

http://twitter.com/yongrheemsft

P.S. Related content regarding these series:
Evaluation (PoC) Guide for Microsoft Defender Antivirus (MDAV) and Microsoft Defender–Exploit Guard [Attack Surface Reduction Rules, Controlled Folder Access and Network Protection]
https://yongrhee.wordpress.com/2020/03/03/evaluation-poc-guide-for-microsoft-defender-antivirus-mdav-and-microsoft-defender-exploit-guard-attack-surface-reduction-rules-controlled-folder-access-and-network-protection/

Do macOS need an antimalware (antivirus) and EDR software?
https://yongrhee.wordpress.com/2020/03/08/do-macos-need-an-antimalware-antivirus-and-edr-software/

SCCM-Endpoint Protection: Setting up your System Center Configuration Manager lab for a PoC (Part 1)
https://yongrhee.wordpress.com/2020/02/22/sccm-endpoint-protection-setting-up-your-system-center-configuration-manager-lab-for-a-poc-part-1/

SCCM-Endpoint Protection: Enable “Software Update Point” (SUP) (Part 2)
https://yongrhee.wordpress.com/2020/02/22/sccm-endpoint-protection-enable-software-update-point-sup-part-2/

SCCM-Endpoint Protection: Enable “Endpoint Protection point” site system role (Part 3)
https://yongrhee.wordpress.com/2020/02/22/sccm-endpoint-protection-enable-endpoint-protection-point-site-system-role-part-3/

SCCM-Endpoint Protection: Enable SCCM “Client Settings” – “Endpoint Protection”(Part 3a)
https://yongrhee.wordpress.com/2020/03/04/sccm-endpoint-protection-enable-sccm-client-settings-endpoint-protectionpart-3a/

SCCM-Endpoint Protection: Enabling “Platform Update” for Microsoft Defender AV via SCCM ADR (Part 4)
https://yongrhee.wordpress.com/2020/02/22/sccm-endpoint-protection-enabling-platform-update-for-microsoft-defender-av-via-sccm-adr-part-4/

SCCM-Endpoint Protection: Enabling “Platform Update” for Microsoft SCEP via SCCM ADR (Part 5)
https://yongrhee.wordpress.com/2020/02/22/sccm-endpoint-protection-enabling-platform-update-for-microsoft-scep-via-sccm-adr-part-5/

SCCM-Endpoint Protection: Enabling “Security Intelligence Update” for MDAV via SCCM ADR (Part 6)
https://yongrhee.wordpress.com/2020/02/22/sccm-endpoint-protection-enabling-security-intelligence-update-for-mdav-via-sccm-adr-part-6/

SCCM-Endpoint Protection: Enabling “Security Intelligence Update” for SCEP via SCCM ADR (Part 7)
https://yongrhee.wordpress.com/2020/02/22/sccm-endpoint-protection-enabling-security-intelligence-update-for-scep-via-sccm-adr-part-7/

SCCM-Endpoint Protection: Windows client: MDAV and SCEP antimalware policies best practices(Part 8).
https://yongrhee.wordpress.com/2020/02/22/sccm-endpoint-protection-windows-client-mdav-and-scep-antimalware-policies-best-practicespart-8/

SCCM-Endpoint Protection: Windows server: MDAV and SCEP antimalware policies best practices(Part 9)
https://yongrhee.wordpress.com/2020/02/22/sccm-endpoint-protection-windows-server-mdav-and-scep-antimalware-policies-best-practicespart-9/

SCCM-Endpoint Protection: Microsoft Defender Exploit Guard: Attack Surface Reduction rules (Part 10)
https://yongrhee.wordpress.com/2020/02/22/sccm-endpoint-protection-microsoft-defender-exploit-guard-attack-surface-reduction-rules-part-10/

SCCM-Endpoint Protection: Microsoft Defender Exploit Guard: Network Protection (Part 11)
https://yongrhee.wordpress.com/2020/02/22/sccm-endpoint-protection-microsoft-defender-exploit-guard-network-protection-part-11/

SCCM-Endpoint Protection: Microsoft Defender Exploit Guard: Controlled Folder Access (Part 12)
https://yongrhee.wordpress.com/2020/02/22/sccm-endpoint-protection-microsoft-defender-exploit-guard-controlled-folder-access-part-12/

Published by yongrhee

A Cybersecurity & Information Technology (IT) geek.

3 thoughts on “Managing System Center Endpoint Protection (SCEP, EPP (aka Antivirus)) policies via Group Policy

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Create your website with WordPress.com
Get started
%d bloggers like this: