Hi all,
We are currently in the process of deploying System Center Endpoint Protection via the .exe and GPO and we are struggling to lock the client down quickly and simply!
Does anyone have any tips and tricks to prevent students tampering with the software? I know we can tweak settings individually in Group Policy and then these get greyed out but seems a bit of a faff putting in every possible setting when we are quite happy with the vast majority of defaults.
Thanks
Michael
We lock it down using SCCM. I assume you dont have that?
You can install it with an XML answer file that will prevent this i think.
SCCM2012 has Antimalware Policies under Endpoint Protection in the Assets & Compliance tab... about 5 minutes of work and works seamlessly. Didn't know you could manage SCEP without SCCM?
We are licensed but have not installed yet... we are waiting until we get our new servers in the summer to go through the rather lengthy install process (or am I imagining it being worse than it actually is). I think you also need SCCM to create the XML file and, from what I believe, this will then only do the same as GP.
Anyone got a nice way of doing this with GPO/standard windows security?
Michael
ok... couple of quick question regarding SCCM as I think that is the route we may need to go down:
Does the install automatically create an SQL Express database and, for a school with ~300 clients is this good enough vs. full SQL.
How much disk-space does the SCCM database take up?
Databae space is 3MB a client. It doesnt automatically create a database im not sure if it will work with express.
Do you not have SQL already for something else?
CyBeRkId2002 (14th November 2012)
It's not too bad in all honesty - windows-noob.com will be your friend for SCCM guides: System Center 2012 Configuration Manager Guides - Configuration Manager 2012 - www.windows-noob.com
For 450+ devices here and an installation that's about 4 months in (and has deployed all my software to clients), my SQL folder is 11Gb. The drive I use for SCCM data has 42Gb space used at the moment, but we image with Fog rather than SCCM so add some onto that if you're planning on doing imaging as well.
Your SCCM licence usually comes with a SQL licence to install a full SQL 2008R2. You can use a remote DB on another server if necessary.
CyBeRkId2002 (14th November 2012)
just wanted to say thanks to the pair of you for the advice... gave me the kick up the a**e i needed to get SCCM installed and after a couple of days of work (they certainly dont make it easy to install - for a Microsoft System Management tool that is running on a Microsoft Database on a Microsoft operating system the process should have been a little more seamless!) we have all of our clients updated and running SCEP!
Thanks!
(as a side note I have a quick question incase it is something either of you have come across... during the install process I have got our SCCM server talking to WSUS on a different server. The clients are still updating directly from the other server as that is where they are currently directed in Group Policy. Is this the recommended policy or should updates be pushed out using SCCM? If so how is Windows Update configured on the clients? Is it disabled?)
Don't know what the recommendation is when WSUS is on another server, but I know you can't run it on the same server, in that instance you have to use SCCM. Bit of a different workflow to doing updates in SCCM although now I know what I'm doing with it (sort of) it's quicker to push out new updates.
Updates are set to the FQDN of the SCCM server on the WSUS port (e.g. http://SCCM.domain.local:8530); the only update that Windows Update ever installs is the config manager client, then Software Center installs all the updates after that.
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
LinkBack URL
About LinkBacks