none
scep 2012 and wsus and sccm (sup) RRS feed

  • Question

  • Hello,

    I am currently running ForeFront Client Security, an older version of SCEP. So I thought it was about time to update the AV infra. I have read that it is possible to run SCEP 2012 without SCCM, but I understood that managebility will get very limited without SCCM. So I thought, OK let's do it with SCCM.

    But seems that the distribution relies on wsus, which I have already running and is working perfectly. I have some tooling around it, so patch deployment is completely automated. Something I do not want to give up. I could live with migrating to a new WSUS instance, as long as I can still use my tooling. But from what I understood, is that when you deploy SCEP with SCCM, you can only push Windows Updates from SCCM. You cannot have your end points pull updates from the wsus server, like we normally do.

    I just want to know if I understood correctly. If yes, what the hell is Microsoft doing? I do not want to create collections and software packages, my wsus clients are smart enough to figure out what they need. So I want to keep that in place.

    If anyone can shed a light, please let me know.

    Best regards,

    Ronald

    Wednesday, March 26, 2014 10:32 PM

Answers

  • You don't have to use SCCM to distribute software updates. Just don't configure a software update point role when you stand up the environment. And then in your Antimalware policy, configure WSUS to be the top/primary source for definition updates.
    Thursday, March 27, 2014 2:09 PM
  • The SCEP installer is part of the overall SCCM client install file set. You have to install the SCCM client on your machines and have the client settings policy targeted to those machines with the setting enabled to "Manage Endpoint Protection client on client computers". That is the setting that allows the SCEP client to install. You then configure an antimalware policy with the desired settings related just to the SCEP client and target it to the machines you want to manage. You must install the SCCM client in addition to the SCEP client if you want to be able to centrally manage the clients from SCCM and get all of the monitoring and reporting capabilities. If you want to just install the SCEP client, you could simply distribute SCEPInstall.exe through whatever method you are familiar with, then you could still centrally manage policies through Group Policy, but you would not have any of the monitoring/reporting capabilities of SCCM.

    Here's some additional documentation:

    Planning for Endpoint Protection in Configuration Manager

    SCEPInstall.exe Setup Switches

    Export Policies from SCEP and import into Group Policy

    Using Group Policy with FEP

    fep2010grouppolicytools-en-us.exe

    (The links say FEP but the GPO related information should still generally apply to SCEP)




    Friday, March 28, 2014 4:03 PM

All replies

  • You don't have to use SCCM to distribute software updates. Just don't configure a software update point role when you stand up the environment. And then in your Antimalware policy, configure WSUS to be the top/primary source for definition updates.
    Thursday, March 27, 2014 2:09 PM
  • Hi Kevin,

    OK, I thought setting up a SUP was a prerequisite for deploying SCEP 2012. How do I distribute just the SCEP client then? Just with SCCM as well? And can I manage the full SCEP client environment (policies etc) with SCCM?

    Thanks in advance. 

    BR,

    Ronald

    Friday, March 28, 2014 3:39 PM
  • The SCEP installer is part of the overall SCCM client install file set. You have to install the SCCM client on your machines and have the client settings policy targeted to those machines with the setting enabled to "Manage Endpoint Protection client on client computers". That is the setting that allows the SCEP client to install. You then configure an antimalware policy with the desired settings related just to the SCEP client and target it to the machines you want to manage. You must install the SCCM client in addition to the SCEP client if you want to be able to centrally manage the clients from SCCM and get all of the monitoring and reporting capabilities. If you want to just install the SCEP client, you could simply distribute SCEPInstall.exe through whatever method you are familiar with, then you could still centrally manage policies through Group Policy, but you would not have any of the monitoring/reporting capabilities of SCCM.

    Here's some additional documentation:

    Planning for Endpoint Protection in Configuration Manager

    SCEPInstall.exe Setup Switches

    Export Policies from SCEP and import into Group Policy

    Using Group Policy with FEP

    fep2010grouppolicytools-en-us.exe

    (The links say FEP but the GPO related information should still generally apply to SCEP)




    Friday, March 28, 2014 4:03 PM