Product and service reviews are conducted independently by our editorial team, but we sometimes make money when you click on links. Learn more.

Microsoft System Center 2012 Endpoint Protection

Microsoft System Center 2012 Endpoint Protection

Endpoint Protection, part of Microsoft System Center 2012 R2, is designed with large enterprises in mind. It offers antimalware configuration, reporting, deployment and more.

Microsoft System Center 2012 R2 is a management suite for enterprise computing environments that offers monitoring, deployment, distribution and management of a wide range of devices and software across multiple platforms. Of course, covering this much ground requires specialized components.

System Center 2012 R2 Endpoint Protection is the piece that ensures employee workstations, and other devices in the field, or endpoints, are properly secured against viruses, trojans and other malware. For those that may remember, System Center Endpoint Protection is what used to be called Microsoft Forefront Endpoint Protection, or FEP.

Like many of the other components of System Center, the functions of Endpoint Protection could easily be handled by a skilled team of administrators operating in a smaller scale environment. Installing antivirus software is easy enough. It rarely requires complicated configuration. Most such software allows for automatic updates of virus definitions. If something goes wrong, or a virus is a detected, help is just a phone call or help desk ticket away. But, when the environment gets big enough, every one of these issues gets unmanageable.

How does an administrator verify that definitions are up to date on tens of thousands of machines? Send out an email asking users to check the version number they have. (Click here, then click on this, then click... then email the results to...) And how would IT know if protection has been turned off, whether accidentally or maliciously?

Worst of all, how does IT know if end users aren't just clicking OK when issues are detected, allowing precious time to waste away while the virus spreads and the malware keeps sending back home all those keystrokes and web form fields?

If the answer from IT is a combination of System Center Configuration manager distributing software and updates, coupled with Operations Manager to monitor the status of each system's antimalware software, then the answer is correct. However, this particular area has a lot of nuances and extra security precautions that can get in the way. Think of Endpoint Protection as a giant management pack that wraps up all of this functionality and ties it in a bow.

In addition to antimalware configuration, reporting and deployment, Endpoint Protection also allows policy-based configuration of the local operating system firewall; you can open and close ports for specific groups of users based on need, even at certain times.

MORE: What is Microsoft Cloud OS?
MORE: System Center 2012 R2: Worth The Upgrade?

What's New In SCEP 2012 R2

Like most of the products in the System Center line, the biggest, most notable, new feature for Endpoint Protection 2012 R2 is native support for the latest and greatest operating systems recently released by Microsoft. The SP1 version of System Center Endpoint Protection brought native support for Windows 8 and Windows Server 2012. The R2 version brings support for both the Windows 8.1 and Server 2012 R2.

While both Forefront Protection 2010 Update Rollup 1 and System Center 2012 Endpoint Protection (with and without Service Pack 1) will be updated to include support for Windows 8.1 and Windows Server 2012 R2, the Endpoint Protection 2012 R2 version has default support for both Windows 8.1 and Server 2012 R2 out of the box. This would seem to mark the last OS upgrade that Forefront will get full support for, assuming that no quick release to an 8.2 version of Windows becomes necessary. Upgrades are available from 2012 SP1 to the R2 version, but not directly from the 2012 non-SP1 to R2. An upgrade to SP1 will have to come first.

The latest version of Endpoint Protection offers improved support for the boot protections that come built-in to Windows 8. Early Launch Antimalware (ELAM) protection loads before third-party drivers that load on boot. This protects against malware that launches before the full antimalware client loads later in the boot process, putting a stop to malware that tries to launch before protection is ready. There is also the ability to monitor and report on boot protection status, including the Unified Extensible Firmware Interface (UEFI -- a BIOS replacement that can be locked down for security purposes) boot process, whether it has been compromised or disabled.

Since Endpoint Protection piggybacks on Configuration Manager, much of what's new for SCCM 2012 R2 is also new for SCEP 2012 R2. Endpoint Protection still requires its own client separate from the Configuration Manager client, however Endpoint Protection uses Configuration Manager's discovery process to detect systems for client installation. The same groups configured in Configuration Manager can be used to launch the client installation; however, there is no need to build a package within Configuration Manager. That process is taken care of as part of the Endpoint Protection site system role.

Role-Based Administrator works with Endpoint Protection just like it does with Configuration Manager, with the ability to assign full rights of the Endpoint Protection role to administrators, or to customize a subset of views and permissions for each administrator. This makes management easier to look at if administrators are specialized to endpoint management, or if an administrator just wants to focus on the specifics of endpoint protection without the distraction of other software installation reports or updates.

Like Configuration Manager, admins will also need the corresponding rights for reporting to really manage anything. (It’s no good to be able to update definitions, for example, without being able to see who has what.) Real-time reporting for Endpoint Manager first came out with SP1, but it’s updated and streamlined for the R2 release. Prior to the SP1 release, monitoring required defining and running reports. Now, administrators can see in real-time what is being detected by anti-virus software. If something is replicating itself, the management screen will start showing clients going red right away, so segments can be isolated, or other preventative measures taken instead of an administrator having to see suspicious activity and then confirm it by running a report.

Alerts can even be sent as alert toasts on the Metro interface for any administrators using it. Also, real-time client-related operations sent to clients are supposed to take less than one minute now.

MORE: System Center 2012 Data Protection Manager
MORE: System Center 2012 Operations Manager
MORE: System Center 2012 Configuration Manager

With Microsoft pushing evermore toward the cloud and promoting its concept of the "Cloud OS," it is important to note that Endpoint Protection can work anywhere that Configuration Manager is also able to deploy. Endpoint Protection within virtual machines may sound unnecessary (why not just create a new one if one gets infected), the truth is that those virtual machines are still very capable of spreading malware around to less disposable systems. For Windows-based VMs, the Endpoint Protection client can be installed just like on a physical Windows system. For non-Windows VMs, Intune support can be used where applicable.

While the updates to R2 version of Endpoint Protection aren't flashy, there probably isn't anyone updating to System Center R2 based on what the latest version of EP can do. However, for companies moving up to the R2 version, security administrators will find some nice goodies to make their jobs easier.