Microsoft System Center 2012 Endpoint Protection Server

Version 2

    This template allows you to monitor the status of System Center 2012 Endpoint Protection Server installed on a Windows machine by using PowerShell and service monitors.


    Prerequisites: WinRM must be installed and properly configured on the target server and WMI access to the target server.

    Credentials: Administrator on target server.

    Each PowerShell monitor uses the same argument with the exception of: Protection Status on Specific Machine.

    For Example:
    S01

    where S01 is the 3-character site code where Endpoint Protection is installed (This is the code you provided during installation of Microsoft System Center Configuration Manager (SCCM));


    Note: You must specify the correct arguments for each monitored component in the Script Arguments field. If you fail to do this, the monitor will return with a status error of "Undefined."

    Components Monitors

    Endpoint Protection General State

    This monitor returns the general Endpoint Protection statistic. The returned values are as follows:

         Antispyware Enabled – This component returns the number of computers with enabled antispyware. The value returned should be as high as possible.

         Antivirus Enabled – This component returns the number of computers with enabled antivirus. The value returned should be as high as possible.

         EP Enabled – This component returns the number of computers where Endpoint Protection is enabled. The returned value should be as high as possible.

         Antispyware Disabled – This component returns the number of computers with disabled antispyware. The value returned should be as low as possible.

         Antivirus Disabled – This component returns the number of computers with disabled antivirus. The value returned should be as low as possible.

         EP Disabled – This component returns the number of computers where Endpoint Protection is disabled. The value returned should be as low as possible.

     

    Pending Operations Required

    This monitor returns the pending operations status (reboots, scans, etc) of Endpoint Protection computers. The returned values are as follows:

         Pending Full Scan – This component returns the number of computers where a full scan is required. The value returned should be as low as possible.

         Pending Manual Steps – This component returns the number of computers where manual actions are required. The value returned should be as low as possible.

         Pending Offline Scan – This component returns the number of computers where offline scans are required. The value returned should be as low as possible.

         Pending Reboot – This component returns the number of computers which should be rebooted. The value returned should be as low as possible.

     

    Endpoint Protection Deployment Status

    This monitor returns the deployment status of Endpoint Protection. The returned values are as follows:

         Unmanaged – This component returns the number of unmanaged machines. The value returned should be as low as possible.

         To Be Installed – This component returns the number of computers where Endpoint Protection will be installed. The value returned should be as low as possible.

         Managed – This component returns the number of computers where Endpoint Protection is installed and managed by server. The returned value should be as high as possible.

         Installed With Error – This component returns the number of computers where Endpoint Protection is installed with errors. The value returned should be as low as possible.

         Pending Reboot – This component returns the number of computers which should be rebooted after Endpoint Protection installation. The value returned should be as low as possible.

     

    Infection Status

    This monitor returns computer infection status. The returned values are as follows:

         Unknown – This component returns the number of machines with an unknown infection status. The value returned should be as low as possible.

         None – This component returns the number of computers with a normal infection status. The value returned should be as high as possible.

         Cleaned – This component returns the number of computers with a cleaned infection status. The returned value should be as high as possible.

         Pending – This component returns the number of computers with a pending infection status. The value returned should be as low as possible.

         Failed – This component returns the number of computers with a failed infection status. The value returned should be as low as possible.

     

    Endpoint Protection Status

    This monitor returns Endpoint Protection status on monitored computers. The returned values are as follows:

         Unknown – This component returns the number of computers with an unknown Endpoint Protection status. The value returned should be as low as possible.

         No Malware Protection – This component returns the number of computers where a service started without any malware protection engine. The value returned should be as low as possible.

         Pending Full Scan – This component returns the number of computers pending a full scan due to a threat action. The value returned should be as low as possible.

         Pending Reboot – This component returns the number of computers pending a reboot. The value returned should be as low as possible.

         Pending Manual Steps – This component returns the number of computers that are pending manual steps due to a threat action. The value returned should be as low as possible.

         AV Out of Date – This component returns the number of computers where antivirus signatures are out of date. The value returned should be as low as possible.

         AS Out of Date – This component returns the number of computers that report antispyware signatures are out of date. The value returned should be as high as possible.

         No Quick Scan – This component returns the number of computers where no quick scan has occurred for a specified period. The returned value should be as low as possible.

         No Full Scan – This component returns the number of computers where no full scan has occurred for a specified period. The value returned should be as low as possible.

     

    Endpoint Protection Status 2

    This monitor returns the Endpoint Protection status on monitored computers. The returned values are as follows:

         Scan in Progress – This component returns the number of computers where a system initiated scan is in progress. The value returned should be as low as possible.

         Clean in Progress – This component returns the number of computers where a system initiated clean is in progress. The value returned should be as low as possible.

         Pending Submission – This component returns the number of computers where samples are pending submission. The value returned should be as low as possible.

         Evaluation Mode – This component returns the number of computers where the product is running in evaluation mode. The value returned should be as low as possible.

         Not Genuine – This component returns the number of computers where the product is running in non-genuine Windows mode. The value returned should be as low as possible.

         Product Expired – This component returns the number of computers where the product is expired. The value returned should be as low as possible.

         Scan Required – This component returns the number of computers where an offline scan is required. The value returned should be as low as possible.

     

    Protection Status on Specific Machine

    This monitor returns the Endpoint Protection status on specific computer. The returned values are as follows:

         Antispyware Enabled – This component returns the state of the antispyware engine: 0 – Enabled; 1 - Disabled.

         Antivirus Enabled – This component returns the state of the antivirus engine: 0 – Enabled; 1 - Disabled.

         EP Enabled – This component returns the state of Endpoint Protection: 0 – Enabled; 1 - Disabled.

         Pending Full Scan – This component returns 1 if Endpoint Protection is pending a full scan, and 0 – if not.

         Pending Manual Steps – This component returns 1 if Endpoint Protection is pending manual steps, and 0 – if not.

         Pending Offline Scan – This component returns 1 if Endpoint Protection is pending an offline scan, and 0 – if not.

         Pending Reboot – This component returns 1 if Endpoint Protection is pending a reboot, and 0 – if not.

         Deployment State – This component returns computers’ deployment status.
         Possible values:
         
    0 - Managed;
          1 - Reboot Pending;
          2 - Connecting;
          3 - Installed With Error;
          4 - Unmanaged;
          5 - Unknown.

         Infection Status – This component returns computers’ infection status.
         Possible values:
         
    0 - None;
          1 - Cleaned;
          2 - Pending;
          3 - Failed;
          4 - Unknown;

         Product Status – This component returns the total Endpoint Protection status.
         Possible values:
         
    0 - No status available;
          1 - Service started without any malware protection engine;
          2 - Pending a full scan due to threat action;
          3 - Pending a reboot due to threat action;
          4 - Pending manual steps due to threat action;
          5 - AV signatures out of date;
          6 - AS signatures out of date;
          7 - No quick scan has happened for a specified period;
          8 - No full scan has happened for a specified period;
          9 - System initiated scan in progress;
          10 - System initiated clean in progress;
          11 - There are samples pending submission;
          12 - Product running in evaluation mode;
          13 - Product running in non-genuine Windows mode;
          14 - Product expired;
          15 - Off-line scan required;
          16 - Unknown;

     

    Configuring Windows Remote Management (WinRM)

    1. If not already done so, install PowerShell 2.0 and WinRM on the SAM and target servers. Powershell 2.0 can be found here: http://support.microsoft.com/kb/968930.
    2. On the SAM server, open a command prompt as an administrator. To do this, perform the following step:
    • Go to the Start menu and right-click the cmd.exe and then select Run as Administrator.
    1. Enter the following in the command prompt:
             winrm quickconfig
      winrm set winrm/config/client @{TrustedHosts="*"}
    2. 4.     On the target server, open a command prompt as an Administrator and enter the following:
             winrm quickconfig
      winrm set winrm/config/client @{TrustedHosts="IP_ADDRESS"}

    where IP address is the IP address of your SAM server.

     

    Portions of this document are based on the following document: Microsoft Antimalware located at http://azure.microsoft.com/blog/2012/03/26/microsoft-endpoint-protection-for-windows-azure-customer-technology-preview-now-available-for-free-download/

    Last updated: 7/18/2014


    System Center 2012 Endpoint Protection Server.png