Currently, the Update button in SCEP does not perform any function when you want to use the SUP as a definition source. Per: https://support.microsoft.com/en-us/kb/2831244 - When you click Update in the SCEP UI, the client looks for a FallbackOrder registry key in HKLM\Software\Policies\Microsoft\Microsoft Antimalware\Signature Updates. The client will check each update source in the FallbackOrder registry key in the order that they are listed until it locates a source that has available definitions. If it goes through all sources without detecting available definitions, it returns an error and the update attempt is unsuccessful. Configuration Manager is never listed in the FallbackOrder registry key, as the SCEP client does not recognize a Configuration Manger Software Update Point agent (and associated infrastructure) as a valid definition source and cannot pull definitions from Configuration Manager.

The SCEP Client needs to be updated to recognize the SUP as a valid definition source - rather than having to open the ConfigMgr Control Panel window, and running a "Software Deployment and Evaluation" cycle. Running the SDEC is a labor intensive operation for the WUAHandler and Software Updates agent on the client, requires a full sync of the WSUS info, which puts additional load on the WSUS server.

So this portion is currently listed under EP in the SCCM console so im posting here. i would like to see an enterprise solution to deploying the windows firewall similar to the way DCM relationships are. Not the existing feature in SCCM where you can simply enable or disable the firewall policy. i would like to see Individual Firewall rules are created as Configuration items and then grouped into Baselines to be applied at a granular level to computers. that way we can remove the GPO dependency on where a computer is placed or at which level its place. SCCM would be a much much better place to handle this type of configuration on an enterprise level.

Currently SCCM lets you enable/disable some settings like the newer feature of PUA. It does not allow for alerts of malware and Endpoint Protection to be configured independently. Just because I want it detected, may not mean I wanted it reported on. We like PUA's being detected, but we do not want to be alerted on PUA, because we get too many each week, most of which are valid installers we use. We do not want to exclude them, because a new version of the .exe may have something we are not aware of. I would like to see alerts for malware granular enough that we can determine which classes of malware we get alerted on. Perhaps I want to be alerted to virus, worm, Trojan, but not PUA (or PUP). Some classes I would want to perhaps control independently would be worm, virus, Trojan, adware, spyware, ransomware, Rootkit, PUA (or PUP), and possibly keylogger. This list may not be all inclusive of every type of malware but its a good start. PUA is a low threat so we would not want to be alerted. We may want to alert out network team to any worms, so they may want a separate alert for worm specific infections. Ransomware may need to go to our security department. Each category may potentially have a different type of alert setup or may rank differently. We may have a daily alert sent out one way, and then a weekly alert sent out differently.

Configuration Manager allows the creation of subscriptions to alerts for the following Endpoint Protection events:

* Malware outbreak - the same malware detected on multiple computers
* Multiple malware detected on one computer
* Same malware repeatedly detected on one computer

The ability to subscribe to alerts for these events is useful, but this feature could be improved.

For example, I don't need to be alerted when malicious JavaScript on a website is repeatedly detected and blocked on a user's computer, but there is no way to filter notifications for a specific class of threats. On the other hand, I do want to be alerted when remediation of a single infection on a single machine fails, but this is not possible either.

I would like to change the randomization for scheduled scans more than SCEP seems to allow. There seems to be an option in the Advanced 'tab' that is a simple yes/no setting to change enable 30 minute randomization of scans and update start times.

for one I feel this is to short of a randomization time, and would like it to be configurable.

secondly I think these two events should not be governed by the same control.

On a Server farm for example using shared storage I would want my Servers running their scheduled scan across a longer time period, like 6 hours for example. But I would not want the definition updates to be randomized over 6 hours.

Thanks

We have encountered quite a few false positives since converting to Endpoint via SCCM. So far the biggest problem has been submitting a false positive report to MS (one that will actually get listened to at least). We should have the ability from within the console to submit a file or report detailing a false positive and receive data on whether or not that file is rated as a threat with current virus definitions. If the Endpoint team is going to speak proudly of its low false positive rate, they should make it much easier for an Enterprise client to notify them of a new occurrence.