Microsoft has just created a TechNet wiki pointing to recommended information on the web for helping with your Operations Manager deployment. The System Center 2012 Operations Manager Survival Guide is located at -center-2012-operations-manager-survival-guide.aspx, and lists this blog as a go-to place for information.
System Center 2012 App Controller is a self-service portal built on Silverlight, allowing IT managers to more easily deploy and manage applications in cloud infrastructures. App Controller provides a single console for managing multiple private and public clouds while provisioning virtual machines and services to individual business units. Using App Controller with Virtual Machine Manager, data center administrators are able to provision not only virtual machine operating system (OS) deployments but also, leveraging Server App-V, deploy and manage down to the application level, minimizing the number of virtual hard disk (VHD) templates necessary to maintain.
By implementing the right strategies, warehouse managers can significantly enhance the performance of their operations. Tailoring these approaches to the specific needs and circumstances of the warehouse can lead to even greater improvements in overall performance.
In -noob.com/forums/index.php?/topic/5452-using-system-center-2012-configuration-manager-part-1-installation-cas/'>Part 1 of this series we created our new LAB, we got the System Center 2012 Configuration Manager ISO and extracted it, then copied it to our Active Directory server. We then created the System Management container in AD, delegated permissions to the container, extended the Schema for Configuration Manager. We then opened TCP ports 1433 and 4022 for SQL replication between sites, installed some prerequisites like .NET Framework 4.0, added some features and then downloaded and installed SQL Server 2008 R2 SP1 CU6. We then configured SQL Server using SQL Server Management Studio for security and memory configurations prior to running the Configuration Manager 2012 setup to assess server readiness. Finally we installed a central administration site (CAS).
In -noob.com/forums/index.php?/topic/5506-using-system-center-2012-configuration-manager-part-2-install-the-primary-server-p01/'>Part 2 we setup our Primary server with SQL Server 2008 R2 SP1 CU6. We then installed Configuration Manager 2012 on our primary server (P01) and verified that it was replicating to our central administration site (CAS) server. Then we configured Discovery methods for our Hierarchy and then configure Boundaries and Boundary Groups. In -noob.com/forums/index.php?/topic/5605-using-system-center-2012-configuration-manager-part-3-configuring-discovery-and-boundaries/'>Part 3 we configured Discovery methods and configured boundaries and created a boundary group, we then configured them for Automatic Site Assignment and Content Location.
In -noob.com/forums/index.php?/topic/5678-using-system-center-2012-configuration-manager-part-4-adding-roles-and-configuring-custom-client-device-settings-and-custom-client-user-settings/'>Part 4 we added the Application Catalog roles to our Hierarchy. We then configured Custom Client Device Settings and then deployed those settings to the All Systems collection on site P01. After that we created Custom Client User Settings and deployed them to the All Users collection in order to allow users to define their own User and Device affinity settings.
In -noob.com/forums/index.php?/topic/5683-using-system-center-2012-configuration-manager-part-5-adding-wsus-adding-the-sup-role-deploying-the-configuration-manager-client-agent/'>Part 5 we installed the WSUS server role (it is required for the Software Update Point role). We then installed the Software Update Point role on our CAS and Primary servers and we configured the SUP to support ConfigMgr Client Agent deployment which is a recommended Best Practice method of deploying the Configuration Manager Client Agent. Now we will prepare our server for the Endpoint Protection Point role, and install that role before configuring custom client device settings and custom antimalware policies. We will then deploy those custom client device settings and custom antimalware policies to our newly created Endpoint Protection collections.
Tip: This is a long post and it will take you some time to complete, please give yourself a few hours to go through it all.
Below is an Introduction to Endpoint Protection in Configuration Manager, for more info see the following on Technet - -us/library/hh508781.aspx'>
When you use Endpoint Protection with Configuration Manager, you benefit from the following:
Once you have created your new collections, the Endpoint Protection Managed Servers collections should look like this:
Tip: if you don't want to manually enter all this information you could create a Powershell script to achieve the same thing, here's a -configuration-manager-2012-and-powershell-ae-part-2'>sample script to do help you (Powershell knowledge required).
At the moment our new collections are all empty and that's ok, you can populate them however you want, either using direct membership or queries. Do make sure that the correct type of device is in the collection in question so that when we target our custom device settings and custom antimalware policies to those collections that the correct devices are receiving the correct antimalware settings/policies.
Step 3. Enable the Endpoint Protection role
Note: Perform the following on the CAS server as SMSadmin
The Endpoint Protection point site system role must be installed before you can use Endpoint Protection or before you can create custom Endpoint Protection client settings. It must be installed on one site system server only and it must be installed at the top of the hierarchy on a central administration site or a standalone primary site. As we have a hierarchy consisting of a CAS and child Primary, we will install the role on our CAS server. If you are following this guide and using only a standalone primary server then you must install the Endpoint Protection role on that server.
In the Administration workspace, expand Overview and expand Site Configuration, select Servers and Site System Roles. Right click on our CAS server and select Add Site System Roles.
make any changes necessary on the Add Site System roles Wizard screen and click next,
Select the Endpoint Protection point role and take note of the popup screen, we have already configured our SUP to Synchronise Definition Updates in -noob.com/forums/index.php?/topic/5683-using-system-center-2012-configuration-manager-part-5-adding-wsus-adding-the-sup-role-deploying-the-configuration-manager-client-agent/'>Part 5 of this series however if you have not completed that part yet please review it now, or alternatively you'll have to remove Configuration Manager as an update source in your Custom Antimalware Policies.
Accept the Endpoint Protection License based on your License aggreement with Microsoft
and select your MAPS membership type which applies to your entire heirarchy as the default setting (this can be changed for all custom antimalware policies later). Select Advanced Membership.
Configure Alerts for device Collections
Note:- You cannot configure alerts for User Collections.
Next we will configure alerts for our Endpoint Protection device collections. In this example we will use our Endpoint Protection Managed Servers - Configuration Manager collection however you should repeat this process for each collection that you want to monitor for alerts in the Configuration Manager console, via the -can-i-view-hidden-endpoint-protection-reports-in-system-center-2012-configuration-manager/'>Endpoint Protection Reports and of course the Endpoint Protection Dashboard.
In Assets and Compliance, browse to the Endpoint Protection Managed Servers folder, and select the Endpoint Protection Managed Servers - Configuration Manager collection. Right click and choose properties. Click on the Alerts tab and place a checkmark in View this collection in the Endpoint Protection Dashboard and place a checkmark in those headings that interest you for client status and Endpoint Protection.
you can further configure the alert severity or other options (depending on the type of alert selected) in the Alerts screen once you've applied the above settings. In the example below the Repeated malware detection alert settings are listed.
Once you've configured all the Endpoint Protection collections for Alerting, you can review Endpoint Protection dashboard (System Center 2012 Endpoint Protection Status) in the Monitoring workspace and select one of our 13 collections from the drop down menu. The information provided will change as data flows in once we deploy custom client device settings and custom antimalware policies to our Endpoint Protection collections.
Step 5. Add Forefront Endpoint Protection 2010 as a product and sync the SUP
Note: Perform the following on the CAS server as SMSadmin
If you want your clients to get their definition updates from Configuration Manager, then you'll need to configure your Software Update Point accordingly. Our SUP is already setup and configured as in -noob.com/forums/index.php?/topic/5683-using-system-center-2012-configuration-manager-part-5-adding-wsus-adding-the-sup-role-deploying-the-configuration-manager-client-agent/'>Part 5, which means it will check for definition updates and synchronize with Microsoft on a schedule of once per day, however we need to add the Forefront Endpoint Protection 2010 product to our list of products to sync against otherwise we won't see any Definition Updates appearing in our Software Update Point. In the Administration workspace, select Site Configuration, Sites, select our CAS server, and in the ribbon click on Settings, Configure Site Components, and select Software Update Point from the list.
Select the Products tab, scroll down to Forefront and select Forefront Endpoint Protection 2010, click Apply.
Next we will force a sync to Microsoft, select the Software Library workspace, select Software Updates, right click on All Software Updates and choose Synchronize Software Updates. Answer Yes to the popup.
Tip: Review the wsyncmgr.log on the CAS server in D:\Program Files\Microsoft Configuration Manager\Logs to confirm that the sync has successfully completed. Look for a line that states Sync Succeeded. If it fails to sync make sure that the Update Services service on CAS has started.
Step 6. Configure SUP to deliver Definition Updates using an Automatic Deployment Rule
Note: Perform the following on the CAS server as SMSadmin
Before starting this step create a folder on D:\sources\WindowsUpdates\EndpointProtection on the CAS server to store our Endpoint Protection definition Updates. Our sources folder is shared as sources.
In the Configuration Manager console, click Software Library, expand Software Updates and click right click on Automatic Deployment Rules and choose Create Automatic Deployment Rule,
Fill in the details as below, for name use ADR: Endpoint Protection, the naming is important, think weeks, months, years ahead when you are searching for that Automatic Deployment Rule you or someone else created, prepending ADR: Endpoint Protection will easily separate these ADR's from other ADR's created by you or other admins for patch Tuesday software updates for example.
For target collection choose the collection you want to target with these definition updates, in our example we will select the Endpoint Protection Managed Desktops collection.
On the Deployment Settings page of the wizard select Minimal from the Detail level drop-down list and then click Next, this reduces the content of State Messages returned and thus reduces Configuration Manager server load.
on the Software Updates page select Date Released or Revised, choose Last 1 day, and select Products, then select Forefront Protection 2010 from the list of available products.
for Evaluation Schedule, click on Customize and set it to run every 1 days,
Tip: notice that the Synchronization Schedule is listed below, make sure that the SUP synchronizes at least 2 hours before you evaluate for Forefront Endpoint Protection definition updates, there is no point checking for updates if we haven't synchronized yet.
for Deployment Schedule set Time based on: UTC if you want all clients in the hierarchy to install the latest definitions at the same time, this setting is a recommended best practice. For software available select 2 hours to allow sufficient time for the Deployment to reach all Distribution Points and select As soon as possible for the installation Deadline.
Note: Software update deadlines are randomized over a 2-hour period to prevent all clients from requesting an update at the same time.
for the User Visual Experience select Hide from the drop down menu as we don't want our users informed of new Definition Updates daily and supress restarts on Servers.
for Alerts enable the option to generate an alert, set the compliance percentage to be equal to the SLA you expect for that site, in this example we'll select 85%.
for Download Settings we want to be sure that our clients get these malware definitions regardless of whether they are on a slow site boundaries or not, so we will set both options accordingly.
For Deployment Package we need to create a new Deployment Package, give it a suitable name like Endpoint Protection Definition Updates and point it to a previously created shared folder (\\cas\sources\WindowsUpdates\EndpointProtection).
Note: Make sure that \\cas\sources\WindowsUpdates\EndpointProtection exists otherwise the wizard will fail below when it tries to download as the network path won't exist. After running the ADR once, retire it by right clicking on the rule and select Disable (or delete) and create a new ADR except this time point the deployment package to the package which is now created called Endpoint Protection Definition Updates.
For Distribution Points click on the drop down Add button and select distribution point, select our distribution point on our primary server (P01) and click ok.
click your way through the rest of the Wizard until you reach the summary screen but before finishing the wizard click on save as template in order to speed up entering values in the remaining ADR's you'll be creating.
once done, complete the wizard and the template is ready for use the next time you create a new ADR.
Note: You must repeat the above process for each collection you want to target with Endpoint Protection definition updates delivered from Configuration Manager using an Automatic Deployment Rule.
Below is a screenshot showing the 13 additional ADR's I've created, note how the first ADR is disabled (that was used for creating the deployment package).
Step 7. Configure custom antimalware policies
Note: Perform the following on the CAS server as SMSadmin.
Antimalware Policies for Endpoint Protection define how and where the computers get their definition updates, how and when to scan for malware, what to do when it's detected and a multitude of additional options. You can create many custom antimalware policies and target them (Deployment) to your Endpoint Protection collections. Microsoft provides several built-in policies out of the box that you can simply import and then deploy to your chosen collection.
Tip: Do not configure the default client AntiMalware Policy unless you are sure that you want these applied to all computers in your hierarchy. Custom antimalware policies always take precedence over Default antimalware policies as they have a higher priority.
On your CAS (you could do this action also on your Primary server P01 as AntiMalware Policies are Global Data and replicate accordingly), click Assets and Compliance, click Endpoint Protection, select Antimalware Policies. In the ribbon select Create Antimalware Policy
give the policy a suitable name like Custom Antimalware Policy - Endpoint Protection Managed Servers - Configuration Manager