Currently, the Update button in SCEP does not perform any function when you want to use the SUP as a definition source. Per: https://support.microsoft.com/en-us/kb/2831244 - When you click Update in the SCEP UI, the client looks for a FallbackOrder registry key in HKLM\Software\Policies\Microsoft\Microsoft Antimalware\Signature Updates. The client will check each update source in the FallbackOrder registry key in the order that they are listed until it locates a source that has available definitions. If it goes through all sources without detecting available definitions, it returns an error and the update attempt is unsuccessful. Configuration Manager is never listed in the FallbackOrder registry key, as the SCEP client does not recognize a Configuration Manger Software Update Point agent (and associated infrastructure) as a valid definition source and cannot pull definitions from Configuration Manager.

The SCEP Client needs to be updated to recognize the SUP as a valid definition source - rather than having to open the ConfigMgr Control Panel window, and running a "Software Deployment and Evaluation" cycle. Running the SDEC is a labor intensive operation for the WUAHandler and Software Updates agent on the client, requires a full sync of the WSUS info, which puts additional load on the WSUS server.

Configuration Manager allows the creation of subscriptions to alerts for the following Endpoint Protection events:

* Malware outbreak - the same malware detected on multiple computers
* Multiple malware detected on one computer
* Same malware repeatedly detected on one computer

The ability to subscribe to alerts for these events is useful, but this feature could be improved.

For example, I don't need to be alerted when malicious JavaScript on a website is repeatedly detected and blocked on a user's computer, but there is no way to filter notifications for a specific class of threats. On the other hand, I do want to be alerted when remediation of a single infection on a single machine fails, but this is not possible either.

So this portion is currently listed under EP in the SCCM console so im posting here. i would like to see an enterprise solution to deploying the windows firewall similar to the way DCM relationships are. Not the existing feature in SCCM where you can simply enable or disable the firewall policy. i would like to see Individual Firewall rules are created as Configuration items and then grouped into Baselines to be applied at a granular level to computers. that way we can remove the GPO dependency on where a computer is placed or at which level its place. SCCM would be a much much better place to handle this type of configuration on an enterprise level.

I would like to change the randomization for scheduled scans more than SCEP seems to allow. There seems to be an option in the Advanced 'tab' that is a simple yes/no setting to change enable 30 minute randomization of scans and update start times.

for one I feel this is to short of a randomization time, and would like it to be configurable.

secondly I think these two events should not be governed by the same control.

On a Server farm for example using shared storage I would want my Servers running their scheduled scan across a longer time period, like 6 hours for example. But I would not want the definition updates to be randomized over 6 hours.

Thanks

We have encountered quite a few false positives since converting to Endpoint via SCCM. So far the biggest problem has been submitting a false positive report to MS (one that will actually get listened to at least). We should have the ability from within the console to submit a file or report detailing a false positive and receive data on whether or not that file is rated as a threat with current virus definitions. If the Endpoint team is going to speak proudly of its low false positive rate, they should make it much easier for an Enterprise client to notify them of a new occurrence.