Endpoint Protection admin control

Is it possible to give admins more control over the client endpoint 2012 settings on my PC's? So for instance a domain admin logs in and would like to disable AV or the firewall to test something... OR add exclusions to the scanning?

Thanks

R

January 29th, 2014 3:06pm

You can't simply disable SCEP for security reasons (new anti-tampering), even admin can't do that. There are tools and steps you can take to do that but they take more time than just uninstalling SCEP. You can also find some useful info here:

http://blogs.technet.com/b/mspfe/archive/2013/02/19/anti-tampering-for-the-antimalware-service-in-system-center-endpoint-protection-2012-sp1.aspx

As for delegation of rights to your admins, there is a security role in SCCM named Ednpoint Protection Manager which you can copy and further expand or limit as you wish.



Free Windows Admin Tool Kit Click here and download it now
January 29th, 2014 3:42pm

Thanks for the reply...

So, an admin cannot do this which is ok... I get it.

The article mentions turn things off one at a time to troubleshoot (NIS, Behavioral and Realtime).  So create a custom policy and push that to a collection with the PC I'm troubleshooting only?

I'm still getting used to how SCCM 2012 works over 2007... Sorry for the basic question.

R

January 29th, 2014 3:50pm

If you are going to be the only troubleshooting that would work. If you have multiple admins who will need to be able to do this I would suggest doing this:

Use or copy the Endpoint Protection Manager Role and grant it permissions to add/remove resources to a test collection that admins will add servers to. Give them a policy that has a higher priority than what is currently applied to servers that is deployed to that collection, and the rights to make changes to that policy to troubleshoot things. When they are done they remove the server from that collection, and it picks up the old policy, or if things need to be modified you can deal with that too. 

  • Proposed as answer by t.c.rich 14 hours 41 minutes ago
  • Unproposed as answer by t.c.rich 14 hours 10 minutes ago
Free Windows Admin Tool Kit Click here and download it now
January 29th, 2014 4:01pm

The article mentions turn things off one at a time to troubleshoot (NIS, Behavioral and Realtime).  So create a custom policy and push that to a collection with the PC I'm troubleshooting only?

It all depends what you are troubleshooting.

In order to figure out if AV is an issue in general the fastest way is to block SCCM client from the console if SCEP is deployed to all clients, this will prevent re-installation for the time you need it, then uninstall SCEP and move on with troubleshooting.
After you are done, unblock the client and let SCEP install again or install it manually from c:\windows\ccmsetup\scepinstall.exe

Once you know that AV is an issue and need to pin point what needs to be configured, then I would go with what t.c.rich is suggesting and define higher priority policy assigned to new collection with whatever new settings you know should be punched in then assign device to that collection, let the policy apply and re-test. Once completed you just remove that device from your test collection and make changes in production as needed.

  • Proposed as answer by t.c.rich 14 hours 10 minutes ago
January 29th, 2014 5:02pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics