locked
Question on Client Settings, order, and Endpoint Protection RRS feed

  • Question

  • Hi there,

    I have a fairly specific issue that I've done some research on but still isn't behaving as I expected.

    I've read a few posts on this topic and this TechNet article: 

    http://technet.microsoft.com/en-us/library/gg682109.aspx

    My problem is that I created a client setting policy including Endpoint Protection during my test phases and this deploys to everything in my site. It's recently become time to deploy the client to servers and, due to our environment, we do not want EP on our server as we have a different product licensed.

    I created a "server" client settings and renamed my base settings to "workstation" settings to try to alleviate confusion. In the "server" settings I have disabled EP. I then deployed it to the Server collection which currently only has one test server in it. I noticed EP didn't get removed so I removed it. Today I checked the server and EP is back. I assume that since the "workstations" setting was likely deployed to my entire site and has a priority of 1 that regardless of my "server" settings and the deployment of it without EP directly to the server collection that since it has a priority of 2 the settings with EP override the settings without.

    That being said what is the best way to sort this problem out? Can I somehow clear out the fact that the "workstation" settings are being deployed site-wide? Do I change the priority of the "server" settings to 1 and then deploy the "workstation" settings to the workstations collection?

    I think I mainly understand what's going on here but would rather check my solutions prior t pushing buttons and perhaps exacerbating the problem.

     

    Thursday, December 26, 2013 3:33 PM

Answers

  • My suggestion:

    1)  Make sure EP is not enabled in the Default Client Settings or any other setting that is deployed to a collection containing servers.

    2)  If you have an Endpoint specific server Client Settings, delete the deployment, and then delete the policy.  There is no need to have an Endpoint Policy defined if you are not deploying it to servers.  Remove EP from the test server if it is currently installed.

    3)  Create an "All Workstations" collection and a workstation specific Client Settings.  Then, deploy it to the workstations collection.  If you are simply only deploying to workstations, this is the only policy for EP that should be configured. 


    Mike Leach | http://blogs.catapultsystems.com/mleach/default.aspx

    • Marked as answer by Samuel Mason Thursday, December 26, 2013 5:32 PM
    Thursday, December 26, 2013 4:19 PM
  • The Default Client Setting is not deployed.  Any settings in there automatically deploy to all clients.  This is why you should treat it similar to how you would treat your Default Group Policy.  But, it is always the lowest priority.  Any custom setting will take priority and override the default.  But, only if that box is checked for that setting.  Deploying a Server Client Setting with that box blank does nothing and just reverts back to the Default Client Settings.

    As long as you do not have that box checked on your Server settings, it will not be deployed by that policy.  However, if you do have it selected in the Default, it will get installed on all clients.  Therefore, deselect it in your Default Client Settings.

    You don't have to redeploy Client Settings to the same collection.  That does nothing.  Just make the changes and then the clients will pick up the newest changes when they check in for policy updates.

     

    Mike Leach | http://blogs.catapultsystems.com/mleach/default.aspx


    • Edited by Mike H Leach Thursday, December 26, 2013 5:15 PM
    • Marked as answer by Samuel Mason Thursday, December 26, 2013 5:29 PM
    • Unmarked as answer by Samuel Mason Thursday, December 26, 2013 5:31 PM
    • Marked as answer by Samuel Mason Thursday, December 26, 2013 5:32 PM
    Thursday, December 26, 2013 5:14 PM

All replies

  • Just change the priorities (1 will take precedence over 2).

    Torsten Meringer | http://www.mssccmfaq.de

    Thursday, December 26, 2013 3:38 PM
  • And I would create a collection of only workstations and deploy the workstations Client Settings to that collection.  Then, as long as you don't have EP turned on in the Default Client Settings (which should be avoided), there is no reason to create a server Client Settings to explicitly disable EP.  It is only enabled if a policy is deployed to a collection containing that client.

    Mike Leach | http://blogs.catapultsystems.com/mleach/default.aspx

    Thursday, December 26, 2013 3:44 PM
  • Torsten,

    So because the collections are all getting the client as intended, obviously, and I'm changing the priority only the servers will enforce the higher rated priority, turning off EP, and the workstations will enforce the priority 2 settings that do have EP because the higher-rated settings are only deployed to the server collection?


    • Edited by Samuel Mason Thursday, December 26, 2013 4:02 PM
    Thursday, December 26, 2013 4:01 PM
  • Mike,

    That was my intention, to segregate the settings by collection but I honestly don't know how to change the deployment settings. For example, when I made a change the server settings this morning to ensure EP was disabled and tried to deploy to the server collection I got the warning that these settings were already deployed to this collection. That's when I decided to ask this question because it seemed that, since I'd already selected these collections on which to deploy the settings and I didn't know how to "reset" the deployments, the only way I might be able t change the enforcement was to change the priority.

    Thursday, December 26, 2013 4:07 PM
  • My suggestion:

    1)  Make sure EP is not enabled in the Default Client Settings or any other setting that is deployed to a collection containing servers.

    2)  If you have an Endpoint specific server Client Settings, delete the deployment, and then delete the policy.  There is no need to have an Endpoint Policy defined if you are not deploying it to servers.  Remove EP from the test server if it is currently installed.

    3)  Create an "All Workstations" collection and a workstation specific Client Settings.  Then, deploy it to the workstations collection.  If you are simply only deploying to workstations, this is the only policy for EP that should be configured. 


    Mike Leach | http://blogs.catapultsystems.com/mleach/default.aspx

    • Marked as answer by Samuel Mason Thursday, December 26, 2013 5:32 PM
    Thursday, December 26, 2013 4:19 PM
  • Hi again Mike,

    Just to be clear the Default Client Settings that came with SCCM is set to 10000 priority and zero deployments. I think best practice is not to mess with the Default so I have not. This is why I have 2 policies: one for server without EP and one for workstations with EP.

    I'm not certain how to delete deployments. I've looked for that feature to clear my server deployment and/or the workstation deployment so that I could re-push the new settings or reaffirm current settings.


    ***Edit: I think I found it at the bottom of the page on each Client Settings Group, in the Deployments tab. I was looking too hard. :)
    • Edited by Samuel Mason Thursday, December 26, 2013 4:42 PM
    Thursday, December 26, 2013 4:37 PM
  • Correct.  The Default Client Settings does not get deployed.  Those settings automatically apply to all clients.  It's good that you didn't make any changes to that for EP. 

    When you say server/workstation settings, do you mean that Endpoint is the only option you have selected for that setting?  Or do you have other settings?  You should not select the Endpoint checkbox for the server setting if you don't want to deploy it to servers.  See below.

    The deployments can be viewed by clicking on your custom setting and then clicking on the Deployments tab at the bottom.


    Mike Leach | http://blogs.catapultsystems.com/mleach/default.aspx

    Thursday, December 26, 2013 4:56 PM
  • Oh I may be misunderstanding something here because I'm so new to this product, let's just clarify:

    My assumption was that Default (set to 10000) would not be sent to anything and is just used as a template. This was reinforced to me, perhaps erroneously, by the fact it has no deployments. Now EP *is* enabled on this Default Client Settings but I didn't do that. Am I correct in assuming this group does nothing unless I deploy it? Your comment that "Those settings automatically apply to all clients" makes me think I'm incorrect.

    On the Server settings, now set to priority 1, I have a number of normal settings but EP is unchecked whereas BITS and the others are checked. Really the only change was to EP. I cleared all deployments and re-deployed this to the Server collection.

    On workstation settings EP and all the other appropriate settings are checked. I cleared deployments and re-sent this to my Workstations collection.

     

    Thursday, December 26, 2013 5:06 PM
  • The Default Client Setting is not deployed.  Any settings in there automatically deploy to all clients.  This is why you should treat it similar to how you would treat your Default Group Policy.  But, it is always the lowest priority.  Any custom setting will take priority and override the default.  But, only if that box is checked for that setting.  Deploying a Server Client Setting with that box blank does nothing and just reverts back to the Default Client Settings.

    As long as you do not have that box checked on your Server settings, it will not be deployed by that policy.  However, if you do have it selected in the Default, it will get installed on all clients.  Therefore, deselect it in your Default Client Settings.

    You don't have to redeploy Client Settings to the same collection.  That does nothing.  Just make the changes and then the clients will pick up the newest changes when they check in for policy updates.

     

    Mike Leach | http://blogs.catapultsystems.com/mleach/default.aspx


    • Edited by Mike H Leach Thursday, December 26, 2013 5:15 PM
    • Marked as answer by Samuel Mason Thursday, December 26, 2013 5:29 PM
    • Unmarked as answer by Samuel Mason Thursday, December 26, 2013 5:31 PM
    • Marked as answer by Samuel Mason Thursday, December 26, 2013 5:32 PM
    Thursday, December 26, 2013 5:14 PM
  • Thanks Mike.

    I must have made a change early on to the Default and not remembered it.. not like me but I've been pretty lost on this product so I may be a little unpredictable.

    I struggled with the best place to "Mark as Answer" but I think I covered the most helpful suggestions, hopefully someone with a similar problem will read the entire thread.

    I could not remove EP from the Default Client Settings but I selected "No" for "Manage Endpoint Protection Client on client computers". I will monitor my test server to ensure EP doesn't come back as it did over the last couple days.

    Thursday, December 26, 2013 5:38 PM