Contents

Protect data and infrastructure documentation

Understand and explore
Overview
Plan and design
Plan for Endpoint Protection
Plan for BitLocker management
Plan for certificate profiles
Certificate profile prerequisites
Certificate template permissions for certificate profiles
Wi-Fi and VPN profile prerequisites
Security and privacy
Wi-Fi and VPN profiles
Certificate profiles
Deploy and use
Endpoint Protection
Endpoint Protection overview
Configure Endpoint Protection
How to configure Endpoint Protection
Site system role
Alerts
Definition updates
Definition updates overview
ConfigMgr updates
WSUS updates
Microsoft updates
Malware Protection Center
Network share updates
Deploy policy
Configure client
 Windows Firewall policies
Microsoft Defender Advanced Threat Protection
Create and deploy Exploit Guard policy
Create and deploy Application Guard policy
Windows Defender Application Control settings
Antimalware and firewall tasks
Endpoint Protection scenario
Endpoint Protection client help
Troubleshooting client
Windows Defender FAQ
BitLocker management
Encrypt recovery data
Deploy BitLocker management
Set up BitLocker portals
Customize the self-service portal
View BitLocker reports
Administration and monitoring website
Self-service portal
Windows Hello for Business settings
Certificate profiles
Introduction to certificate profiles
Create certificate profiles
Configuring certificate infrastructure
Wi-Fi profiles
Create Wi-Fi profiles
VPN profiles
VPN profiles
Create VPN profiles
Find a package family name (PFN) for per-app VPN
Deploy Wi-Fi, VPN, email, and certificate profiles
Terms and conditions settings
Monitor protection
Monitor Wi-Fi, email, and VPN profiles
 Monitor Wi-Fi, email, and VPN profiles
Monitor certificate profiles
Monitor Endpoint Protection
Technical reference
BitLocker management
Settings reference
Troubleshoot BitLocker
BitLocker event logs
Client event logs
Server event logs
Non-compliance codes
 Protect data and site infrastructure
4/20/2020 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

You want your users to securely access your organization's resources. Protect both your infrastructure and your
data from exposure or malicious attack. Use Configuration Manager to enable access and help protect your
organization's resources.
Endpoint Protection lets you manage the following Microsoft Defender policies for client computers:
Microsoft Defender Antimalware
Microsoft Defender Firewall
Microsoft Defender Advanced Threat Protection
Microsoft Defender Exploit Guard
Microsoft Defender Application Guard
Microsoft Defender Application Control

TIP
To manage endpoint protection on co-managed Windows 10 devices using the Microsoft Endpoint Manager cloud
service, switch the Endpoint Protection workload to Intune. For more information, see Endpoint protection for
Microsoft Intune.

Protect data stored on on-premises Windows clients with BitLocker Drive Encryption (BDE). Configuration
Manager provides full BitLocker lifecycle management that can replace the use of Microsoft BitLocker
Administration and Monitoring (MBAM). For more information, see Plan for BitLocker management.
Instead of traditional passwords, enable alternative sign-in methods on Windows 10 devices using Windows
Hello for Business. For more information, see Windows Hello for Business settings.
Minimize your users' efforts to connect to resources by enabling VPN connectivity using VPN profiles. For
more information, see VPN profiles.
Wi-fi profiles provide a set of tools and resources to help you manage wireless network settings on devices
in your organization. By deploying these settings, you minimize the effort that end users require to connect
to wireless networks. For more information, see Wi-fi profiles.
Provision devices with the certificates that users need to connect to resources. For more information, see
Certificate profiles.
 Planning for Endpoint Protection in Configuration
Manager
7/7/2020 • 4 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Endpoint Protection in Configuration Manager lets you to manage antimalware policies and Windows Firewall
security for client computers in your Configuration Manager hierarchy.

IMPORTANT
You must be licensed to use Endpoint Protection to manage clients in your Configuration Manager hierarchy.

When you use Endpoint Protection with Configuration Manager, you have the following benefits:
Configure antimalware policies, Windows Firewall settings, and manage Microsoft Defender Advanced
Threat Protection to selected groups of computers
Use Configuration Manager software updates to download the latest antimalware definition files to keep
client computers up-to-date
Send email notifications, use in-console monitoring, and view reports to keep administrative users informed
when malware is detected on client computers
Windows 10 computers don't require any additional client for endpoint protection management. On Windows 8.1
and earlier computers, Endpoint Protection installs its own client in addition to the Configuration Manager client.
The Endpoint Protection client has the following capabilities:
Malware and spyware detection and remediation
Rootkit detection and remediation
Critical vulnerability assessment and automatic definition and engine updates
Network vulnerability detection through Network Inspection System
Integration with Cloud Protection Service to report malware to Microsoft. When you join this service,
Windows Defender or the Endpoint Protection client can download the latest definitions from the Malware
Protection Center when unidentified malware is detected on a computer.

NOTE
The Endpoint Protection client can be installed on a server that runs Hyper-V and on guest virtual machines with supported
operating systems. To prevent excessive CPU usage, Endpoint Protection actions have a built-in, randomized delay so that
services do not run simultaneously.

In addition, Endpoint Protection in Configuration Manager lets you to manage Windows Firewall settings in the
Configuration Manager console.
Example scenario: Using System Center Endpoint Protection to protect computers from malware shows how you
might configure and manage Endpoint Protection and the Windows Firewall.
Managing Malware with Endpoint Protection
Endpoint Protection in Configuration Manager allows you to create antimalware policies that contain settings for
Endpoint Protection client configurations. You can then deploy these antimalware policies to client computers and
monitor them in the Endpoint Protection Status node in the Monitoring workspace, or by using Configuration
Manager reports.
Additional information:
Create and deploy antimalware policies for Endpoint Protection - Create, deploy, and monitor antimalware
policies with a list of the settings that you can configure
Monitor Endpoint Protection - Monitoring activity reports, infected client computers, and more.
Manage antimalware policies and firewall settings for Endpoint Protection - You can change policy priority
for antimalware or firewall, remediate malware found on client computers, and other tasks

Managing Windows Firewall with Endpoint Protection

Endpoint Protection in Configuration Manager provides basic management of the Windows Firewall on client
computers. For each network profile, you can configure the following settings:
Enable or disable the Windows Firewall.
Block incoming connections, including those in the list of allowed programs.
Notify the user when Windows Firewall blocks a new program.

NOTE
Endpoint Protection supports managing the Windows Firewall only.

For more information about how to create and deploy Windows Firewall policies for Endpoint Protection, see How
to create and deploy Windows Firewall policies for Endpoint Protection.

Microsoft Defender Advanced Threat Protection

Starting with version 1606 of Configuration Manager (current branch), Endpoint Protection can help manage and
monitor Microsoft Defender Advanced Threat Protection (ATP), formerly known as Windows Defender ATP.
Microsoft Defender ATP is a service that will help enterprises to detect, investigate, and respond to advanced
attacks on their networks. See Microsoft Defender Advanced Threat Protection.

Endpoint Protection Workflow

Use the following diagram to help you understand the workflow to implement Endpoint Protection in your
Configuration Manager hierarchy.
Endpoint Protection Client for Mac Computers and Linux Servers
System Center includes an Endpoint Protection client for Linux and for Mac computers. These clients are not
supplied with Configuration Manager; instead, you must download the following products from the Microsoft
Volume Licensing Service Center.

IMPORTANT
You must be a Microsoft Volume License customer to download the Endpoint Protection installation files for Linux and the
Mac.

These products cannot be managed from the Configuration Manager console. However, a System Center
Operations Manager management pack is supplied with the installation files, which allows you to manage the client
for Linux by using Operations Manager.
For more information about how to install and manage the Endpoint Protection clients for Linux and Mac
computers, use the documentation that accompanies these products, which is located in the Documentation
folder.
Best Practices for Endpoint Protection in Configuration Manager
Use the following best practices for Endpoint Protection in System Center 2012 Configuration Manager.
Configure custom client settings for Endpoint Protection
When you configure client settings for Endpoint Protection, do not use the default client settings because they
apply settings to all computers in your hierarchy. Instead, configure custom client settings and assign these settings
to collections of computers in your hierarchy.
When you configure custom client settings, you can do the following:
Customize antimalware and security settings for different parts of your organization.
Test the effects of running Endpoint Protection on a small group of computers before you deploy it to the entire
hierarchy.
Add more clients to the collection over time to phase your deployment of the Endpoint Protection client.
Distributing definition updates by using software updates
If you are using Configuration Manager software updates to distribute definition updates, consider placing
definition updates in a package that does not contain other software updates. This keeps the size of the definition
update package smaller which allows it to replicate to distribution points more quickly.
 Plan for BitLocker management
7/7/2020 • 3 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Starting in version 1910, use Configuration Manager to manage BitLocker Drive Encryption (BDE) for on-premises
Windows clients, which are joined to Active Directory. Azure Active Directory joined or workgroup clients are not
supported. It provides full BitLocker lifecycle management that can replace the use of Microsoft BitLocker
Administration and Monitoring (MBAM).

NOTE
Configuration Manager doesn't enable this optional feature by default. You must enable this feature before using it. For more
information, see Enable optional features from updates.

For more information, see BitLocker overview.

TIP
To manage encryption on co-managed Windows 10 devices using the Microsoft Endpoint Manager cloud service, switch the
Endpoint Protection workload to Intune. For more information on using Intune, see Windows Encryption.

Features
Configuration Manager provides the following management capabilities for BitLocker Drive Encryption:
Client deployment
Deploy the BitLocker client to managed Windows devices running Windows 10 or Windows 8.1
Manage encryption policies
For example: choose drive encryption and cipher strength, configure user exemption policy, fixed data drive
encryption settings.
Determine the algorithms with which to encrypt the device, and the disks that you target for encryption.
Force users to get compliant with new security policies before using the device.
Customize your organization's security profile on a per device basis.
When a user unlocks the OS drive, specify whether to unlock only an OS drive or all attached drives.
Compliance reports
Built-in reports for:
Encryption status per volume or per device
The primary user of the device
Compliance status
Reasons for non-compliance
Administration and monitoring website
Allow other personas in your organization outside of the Configuration Manager console to help with key recovery,
including key rotation and other BitLocker-related support. For example, help desk administrators can help users
with key recovery.
User self-service portal
Let users help themselves with a single-use key for unlocking a BitLocker encrypted device. Once this key is used, it
generates a new key for the device.

Prerequisites
To create a BitLocker management policy, you need the Full Administrator role in Configuration Manager.
The BitLocker recovery service requires HTTPS to encrypt the recovery keys across the network from the
Configuration Manager client to the management point. There are two options:
HTTPS-enable the IIS website on the management point that hosts the recovery service. This option
only applies to Configuration Manager version 2002.
Configure the management point for HTTPS. This option applies to Configuration Manager versions
1910 or 2002.
For more information, see Encrypt recovery data.
To use the BitLocker management reports, install the reporting services point site system role. For more
information, see Configure reporting.

NOTE
For the Recover y Audit Repor t to work from the administration and monitoring website, only use a reporting
services point at the primary site.

To use the self-service portal or the administration and monitoring website, you need a Windows server
running IIS. You can reuse a Configuration Manager site system, or use a standalone web server that has
connectivity to the site database server. Use a supported OS version for site system servers.

NOTE
Only install the self-service portal and the administration and monitoring website with a primary site database. In a
hierarchy, install these websites for each primary site.

On the web server that will host the self-service portal, install Microsoft ASP.NET MVC 4.0 and .NET
Framework 3.5 feature before staring the install process. Other required Windows server roles and features
will be installed automatically during the portal installation process.
The user account that runs the portal installer script needs SQL sysadmin rights on the site database server.
During the setup process, the script sets login, user, and SQL role rights for the web server machine account.
You can remove this user account from the sysadmin role after you complete setup of the self-service portal
and the administration and monitoring website.
BitLocker Management is not supported on virtual machines (VMs) or on server OSes. For this reason some
features may not work as expected on virtual machines or on server OSes. For example on virtual machines
BitLocker Management will not start the encryption on fixed drives of virtual machines. Additionally fixed
drives in virtual machines may show as compliant even though they are not encrypted.
 TIP
By default, the Enable BitLocker task sequence step only encrypts used space on the drive. BitLocker management uses full
disk encryption. Configure this task sequence step to enable the option to Use full disk encr yption . For more information,
see Task sequence steps - Enable BitLocker.

Next steps
Encrypt recovery data (an optional prerequisite before deploying policy for the first time)
Deploy BitLocker management client
 Prerequisites for certificate profiles in Configuration
Manager
5/8/2020 • 4 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Certificate profiles in Configuration Manager have external dependencies and dependencies in the product.

Dependencies External to Configuration Manager

DEP EN DEN C Y M O RE IN F O RM AT IO N

An enterprise issuing certification authority (CA) that is For more information about Active Directory Certificate
running Active Directory Certificate Services (AD CS). Services, see Active Directory Certificate Services Overview.

To revoke certificates the computer account of the site server

at the top of the hierarchy requires Issue and Manage
Certificates rights for each certificate template used by a
certificate profile in Configuration Manager. Alternatively,
grant Certificate Manager permissions to grant permissions
on all certificate templates used by that CA

Manager approval for certificate requests is supported.

However, the certificate templates that are used to issue
certificates must be configured for Supply in the request
for the certificate subject so that Configuration Manager can
automatically supply this value.

Use the PowerShell script to verify, and if needed, install the The instruction file, readme_crp.txt, is located in
prerequisites for the Network Device Enrollment Service ConfigMgrInstallDir\cd.latest\SMSSETUP\POLICYMODULE\X6
(NDES) role service and the Configuration Manager Certificate 4.
Registration Point.
The PowerShell script, Test-NDES-CRP-Prereqs.ps1, is in the
same directory as the instructions.

The PowerShell script must be run locally on the NDES server.

 DEP EN DEN C Y M O RE IN F O RM AT IO N

The Network Device Enrollment Service (NDES) role service for Configuration Manager communicates with the Network
Active Directory Certificate Services, running on Windows Device Enrollment Service in Windows Server 2012 R2 to
Server 2012 R2. generate and verify Simple Certificate Enrollment Protocol
(SCEP) requests.
In addition:
If you will issue certificates to users or devices that connect
Port numbers other than TCP 443 (for HTTPS) or TCP 80 (for from the Internet, such as mobile devices that are managed by
HTTP) are not supported for the communication between the Microsoft Intune, those devices must be able to access the
client and the Network Device Enrollment Service. server that runs the Network Device Enrollment Service from
the Internet. For example, install the server in a perimeter
The server that is running the Network Device Enrollment network (also known as a DMZ, demilitarized zone, and
Service must be on a different server from the issuing CA. screened subnet).

If you have a firewall between the server that is running the

Network Device Enrollment Service and the issuing CA, you
must configure the firewall to allow the communication traffic
(DCOM) between the two servers. This firewall requirement
also applies to the server running the Configuration Manager
site server and the issuing CA, so that Configuration Manager
can revoke certificates.

If the Network Device Enrollment Service is configured to

require SSL, a security best practice is to make sure that
connecting devices can access the certificate revocation list
(CRL) to validate the server certificate.

For more information about the Network Device Enrollment

Service, see Using a Policy Module with the Network Device
Enrollment Service.

A PKI client authentication certificate and exported root CA This certificate authenticates the server that is running the
certificate. Network Device Enrollment Service to Configuration Manager.

For more information, see PKI certificate requirements for

Configuration Manager.

Supported device operating systems. You can deploy certificate profiles to devices that run Windows
8.1, Windows RT 8.1, and Windows 10.

Configuration Manager Dependencies

DEP EN DEN C Y M O RE IN F O RM AT IO N

Certificate registration point site system role Before you can use certificate profiles, you must install the
certificate registration point site system role. This role
communicates with the Configuration Manager database, the
Configuration Manager site server, and the Configuration
Manager Policy Module.

For more information about system requirements for this site

system role and where to install the role in the hierarchy, see
the Site System Requirements section in the Supported
configurations for Configuration Manager article.

The certificate registration point must not be installed on the

same server that runs the Network Device Enrollment Service.
DEP EN DEN C Y M O RE IN F O RM AT IO N

Configuration Manager Policy Module that is installed on the To deploy certificate profiles, you must install the
server that is running the Network Device Enrollment Service Configuration Manager Policy Module. You can find this policy
role service for Active Directory Certificate Services module on the Configuration Manager installation media.

Discovery data Values for the certificate subject and the subject alternative
name are supplied by Configuration Manager and retrieved
from information that is collected from discovery:

For user certificates: Active Directory User Discovery

For computer certificates: Active Directory System Discovery

and Network Discovery

Specific security permissions to manage certificate profiles You must have the following security permissions to manage
company resource access settings, such as certificate profiles,
Wi-Fi profiles, and VPN profiles:

To view and manage alerts and reports for certificate profiles:

Create , Delete , Modify , Modify Repor t , Read , and Run
Repor t for the Aler ts object.

To create and manage certificate profiles: Author Policy ,

Modify Repor t , Read , and Run Repor t for the Cer tificate
Profile object.

To manage Wi-Fi, certificate and VPN profile deployments:

Deploy Configuration Policies , Modify Client Status
Aler t , Read , and Read Resource for the Collection object.

To manage all configuration policies: Create , Delete , Modify ,

Read , and Set Security Scope for the Configuration
Policy object.

To run queries related to certificate profiles: Read permission

for the Quer y object.

To view certificate profiles information in the Configuration

Manager console: Read permission for the Site object.

To view status messages for certificate profiles: Read

permission for the Status Messages object.

To create and modify the Trusted CA certificate profile: Author

Policy , Modify Repor t , Read , and Run Repor t for the
Trusted CA Cer tificate Profile object.

To create and manage VPN profiles: Author Policy , Modify

Repor t , Read , and Run Repor t for the VPN Profile object.

To create and manage Wi-Fi profiles: Author Policy , Modify

Repor t , Read , and Run Repor t for the Wi-Fi Profile object.

The Company Resource Access Manager security role

includes these permissions that are required to manage
certificate profiles in Configuration Manager. For more
information, see the Configure role-based administration
section in the Configure security article.
 Planning for certificate template permissions for
certificate profiles in Configuration Manager
4/28/2020 • 3 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

The following information can help you plan for how to configure permissions for the certificate templates that
Configuration Manager uses when you deploy certificate profiles.

Default Security Permissions and Considerations

The default security permissions that are required for the certificate templates that Configuration Manager will use
to request certificates for users and devices are as follows:
Read and Enroll for the account that the Network Device Enrollment Service application pool uses
Read for the account that runs the Configuration Manager console
For more information about these security permissions, see Configuring certificate infrastructure.
When you use this default configuration, users and devices cannot directly request certificates from the
certificate templates and all requests must be initiated by the Network Device Enrollment Service. This is an
important restriction, because these certificate templates must be configured with Supply in the request
for the certificate Subject, which means that there is a risk of impersonation if a rogue user or a
compromised device requests a certificate. In the default configuration, the Network Device Enrollment
Service must initiate such a request. However, this risk of impersonation remains if the service that runs the
Network Device Enrollment Service is compromised. To help avoid this risk, follow all security best practices
for the Network Device Enrollment Service and the computer that runs this role service.
If the default security permissions do not fulfill your business requirements, you have another option for
configuring the security permissions on the certificate templates: You can add Read and Enroll permissions
for users and computers.

Adding Read and Enroll Permissions for Users and Computers

Adding Read and Enroll permissions for users and computers might be appropriate if a separate team manages
your certification authority (CA) infrastructure team, and that separate team wants Configuration Manager to verify
that users have a valid Active Directory Domain Services account before sending them a certificate profile to
request a user certificate. For this configuration, you must specify one or more security groups that contain the
users, and then grant those groups Read and Enroll permissions on the certificate templates. In this scenario, the
CA administrator manages the security control.
You can similarly specify one or more security groups that contain computer accounts and grant these groups Read
and Enroll permissions on the certificate templates. If you deploy a computer certificate profile to a computer that
is a domain member, the computer account of that computer must be granted Read and Enroll permissions. These
permissions are not required if the computer is not a domain member. For example, if it is a workgroup computer
or personal mobile device.
Although this configuration uses an additional security control, we do not recommend it as a best practice. The
reason is that the specified users or owners of the devices might request certificates independently from
Configuration Manager and supply values for the certificate Subject that might be used to impersonate another
user or device.
In addition, if you specify accounts that cannot be authenticated at the time that the certificate request occurs, the
certificate request will fail by default. For example, the certificate request will fail if the server that is running the
Network Device Enrollment Service is in an Active Directory forest that is untrusted by the forest that contains the
certificate registration point site system server. You can configure the certificate registration point to continue if an
account cannot be authenticated because there is no response from a domain controller. However, this is not a
security best practice.
Note that if the certificate registration point is configured to check for account permissions and a domain controller
is available and rejects the authentication request (for example, the account is locked out or has been deleted), the
certificate enrollment request will fail.
To check for Read and Enroll permissions for users and domain-member computers
1. On the site system server that hosts the certificate registration point, create the following DWORD registry
key to have a value of 0: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SCCM\CRP\SkipTemplateCheck
2. If an account cannot be authenticated because there is no response from a domain controller, and you want
to bypass the permissions check:
On the site system server that hosts the certificate registration point, create the following DWORD
registry key to have a value of 1:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SCCM\CRP\SkipTemplateCheckOnlyIfAccountAccessDenied
3. On the issuing CA, on the Security tab in the properties for the certificate template, add one or more
security groups to grant the user or device accounts Read and Enroll permissions.
 Prerequisites for Wi-Fi and VPN profiles in
Configuration Manager
4/20/2020 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Wi-Fi and VPN profiles in Configuration Manager have dependencies only within the product.
You need the following security permissions to manage company resource access settings, such as certificate
profiles, Wi-Fi profiles, and VPN profiles:
To view and manage alerts and reports for Wi-Fi and profiles: Create , Delete , Modify , Modify Repor t ,
Read , and Run Repor t for the Aler ts object.
To create and manage certificate profiles: Author Policy , Modify Repor t , Read , and Run Repor t for the
Cer tificate Profile object.
To manage Wi-Fi, certificate, and VPN profile deployments: Deploy Configuration Policies , Modify
Client Status Aler t , Read , and Read Resource for the Collection object.
To manage all configuration policies: Create , Delete , Modify , Read , and Set Security Scope for the
Configuration Policy object.
To run queries that are related to Wi-Fi and VPN profiles: Read permission for the Quer y object.
To view Wi-Fi and VPN profiles information in the Configuration Manager console: Read permission for the
Site object.
To view status messages for Wi-Fi and VPN profiles: Read permission for the Status Messages object.
To create and modify the Trusted CA certificate profile: Author Policy , Modify Repor t , Read , and Run
Repor t for the Trusted CA Cer tificate Profile object.
To create and manage VPN profiles: Author Policy , Modify Repor t , Read , and Run Repor t for the VPN
Profile object.
To create and manage Wi-Fi profiles: Author Policy , Modify Repor t , Read , and Run Repor t for the Wi-Fi
Profile object.
The Company Resource Access Manager built-in security role includes these permissions that are required to
manage Wi-Fi profiles in Configuration Manager. For more information, see Configure security.
 Security and privacy for Wi-Fi and VPN profiles in
Configuration Manager
4/20/2020 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Security recommendations
Use the following security best practices when you manage Wi-Fi and VPN profiles for devices.
Choose the most secure options that your Wi-Fi and VPN infrastructure and client operating systems can
support
Wi-Fi and VPN profiles provide a convenient method to centrally distribute and manage Wi-Fi and VPN settings
that your devices already support. Configuration Manager doesn't add Wi-Fi or VPN functionality. Identify,
implement, and follow any security recommendations for your devices and infrastructure.

Privacy information
You can use Wi-Fi and VPN profiles to configure client devices to connect to Wi-Fi and VPN servers. Then use
Configuration Manager to evaluate whether those devices become compliant after the profiles are applied. The
management point sends compliance information to the site server, and the information is stored in the site
database. The information is encrypted when devices send it to the management point, but it isn't stored in
encrypted format in the site database. The database retains the information until the site maintenance task Delete
Aged Configuration Management Data deletes it. The default deletion interval is 90 days, but you can change
it. Compliance information isn't sent to Microsoft.
By default, devices don't evaluate Wi-Fi and VPN profiles. In addition, you must configure the profiles, and then
deploy them to users.
Before you configure Wi-Fi or VPN profiles, consider your privacy requirements.
 Security and privacy for certificate profiles in
Configuration Manager
5/8/2020 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Security Best Practices for Certificate Profiles

Use the following security best practices when you manage certificate profiles for users and devices.

SEC URIT Y B EST P RA C T IC E M O RE IN F O RM AT IO N

Identify and follow any security best practices for the Network For more information, see Network Device Enrollment Service
Device Enrollment Service, which includes configuring the Guidance.
Network Device Enrollment Service website in Internet
Information Services (IIS) to require SSL and ignore client
certificates.

When you configure SCEP certificate profiles, choose the most Identify, implement, and follow any security best practices that
secure options that devices and your infrastructure can have been recommended for your devices and infrastructure.
support.

Manually specify user device affinity instead of allowing users If you click the Allow cer tificate enrollment only on the
to identify their primary device. In addition, do not enable users primar y device option in a SCEP certificate profile, do
usage-based configuration. not consider the information that is collected from users or
from the device to be authoritative. If you deploy SCEP
certificate profiles with this configuration and a trusted
administrative user does not specify user device affinity,
unauthorized users might receive elevated privileges and be
granted certificates for authentication.

Note: If you do enable usage-based configuration, this

information is collected by using state messages that are not
secured by Configuration Manager. To help mitigate this
threat, use SMB signing or IPsec between client computers
and the management point.

Do not add Read and Enroll permissions for users to the Although Configuration Manager supports the additional
certificate templates, or configure the certificate registration check if you add the security permissions of Read and Enroll
point to skip the certificate template check. for users, and you can configure the certificate registration
point to skip this check if authentication is not possible,
neither configuration is a security best practice. For more
information, see Planning for certificate template permissions
for certificate profiles.

Privacy Information for Certificate Profiles

You can use certificate profiles to deploy root certification authority (CA) and client certificates, and then evaluate
whether those devices become compliant after the profiles are applied. The management point sends compliance
information to the site server, and Configuration Manager stores that information in the site database. Compliance
information includes certificate properties such as subject name and thumbprint. The information is encrypted
when devices send it to the management point, but it is not stored in encrypted format in the site database. The
database retains the information until the site maintenance task Delete Aged Configuration Management
Data deletes it after the default interval of 90 days. You can configure the deletion interval. Compliance information
is not sent to Microsoft.
Certificate profiles use information that Configuration Manager collects using discovery. For more information
about privacy information for discovery, see the Privacy Information for Discover y section in Security and
privacy for Configuration Manager.

NOTE
Certificates that are issued to users or devices might allow access to confidential information.

By default, devices do not evaluate certificate profiles. In addition, you must configure the certificate profiles, and
then deploy them to users or devices.
Before you configure certificate profiles, consider your privacy requirements.
 Endpoint Protection
7/7/2020 • 4 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Endpoint Protection manages antimalware policies and Windows Firewall security for client computers in your
Configuration Manager hierarchy.

IMPORTANT
You must be licensed to use Endpoint Protection to manage clients in your Configuration Manager hierarchy.

When you use Endpoint Protection with Configuration Manager, you have the following benefits:
Configure antimalware policies, Windows Firewall settings, and manage Microsoft Defender Advanced Threat
Protection to selected groups of computers
Use Configuration Manager software updates to download the latest antimalware definition files to keep client
computers up-to-date
Send email notifications, use in-console monitoring, and view reports. These actions inform administrative
users when malware is detected on client computers.
Beginning with Windows 10 and Windows Server 2016 computers, Windows Defender is already installed. For
these operating systems, a management client for Windows Defender is installed when the Configuration Manager
client installs. On Windows 8.1 and earlier computers, the Endpoint Protection client is installed with the
Configuration Manager client. Windows Defender and the Endpoint Protection client have the following
capabilities:
Malware and spyware detection and remediation
Rootkit detection and remediation
Critical vulnerability assessment and automatic definition and engine updates
Network vulnerability detection through Network Inspection System
Integration with Cloud Protection Service to report malware to Microsoft. When you join this service, the
Endpoint Protection client or Windows Defender downloads the latest definitions from the Malware Protection
Center when unidentified malware is detected on a computer.

NOTE
The Endpoint Protection client can be installed on a server that runs Hyper-V and on guest virtual machines with supported
operating systems. To prevent excessive CPU usage, Endpoint Protection actions have a built-in randomized delay so that
protection services do not run simultaneously.

In addition, you manage Windows Firewall settings with Endpoint Protection in the Configuration Manager
console.
Example scenario: Using System Center Endpoint Protection to protect computers from malware Endpoint
Protection and the Windows Firewall.

Managing Malware with Endpoint Protection

Endpoint Protection in Configuration Manager allows you to create antimalware policies that contain settings for
Endpoint Protection client configurations. Deploy these antimalware policies to client computers. Then monitor
compliance in the Endpoint Protection Status node under Security in the Monitoring workspace. Also use
Endpoint Protection reports in the Repor ting node.
Additional information:
How to create and deploy antimalware policies for Endpoint Protection - Create, deploy, and monitor
antimalware policies with a list of the settings that you can configure
How to monitor Endpoint Protection - Monitoring activity reports, infected client computers, and more.
How to manage antimalware policies and firewall settings for Endpoint Protection - Remediate malware
found on client computers
Log files for Endpoint Protection

Managing Windows Firewall with Endpoint Protection

Endpoint Protection in Configuration Manager provides basic management of the Windows Firewall on client
computers. For each network profile, you can configure the following settings:
Enable or disable the Windows Firewall.
Block incoming connections, including those in the list of allowed programs.
Notify the user when Windows Firewall blocks a new program.

NOTE
Endpoint Protection supports managing the Windows Firewall only.

For more information, see How to create and deploy Windows Firewall policies for Endpoint Protection.

Microsoft Defender Advanced Threat Protection

Endpoint Protection manages and monitors Microsoft Defender Advanced Threat Protection (ATP), formerly known
as Windows Defender ATP. The Microsoft Defender ATP service helps enterprises detect, investigate, and respond to
advanced attacks on the corporate network. For more information, see Microsoft Defender Advanced Threat
Protection.

Endpoint Protection Workflow

Use the following diagram to help you understand the workflow to implement Endpoint Protection in your
Configuration Manager hierarchy.
Endpoint Protection Client for Mac Computers and Linux Servers
IMPORTANT
Support for System Center Endpoint Protection (SCEP) for Mac and Linux (all versions) ends on December 31, 2018.
Availability of new virus definitions for SCEP for Mac and SCEP for Linux may be discontinued after the end of support. For
more information, see End of support blog post.

System Center Endpoint Protection includes an Endpoint Protection client for Linux and for Mac computers. These
clients aren't supplied with Configuration Manager. Download the following products from the Microsoft Volume
Licensing Service Center:
System Center Endpoint Protection for Mac
System Center Endpoint Protection for Linux
 NOTE
You must be a Microsoft Volume License customer to download the Endpoint Protection installation files for Linux and the
Mac.

These products can't be managed from the Configuration Manager console. A System Center Operations Manager
management pack is supplied with the installation files, which allows you to manage the client for Linux.
How to get the Endpoint Protection client for Mac computers and Linux servers
Use the following steps to download the image file containing the Endpoint Protection client software and
documentation for Mac computers and Linux servers.
1. Sign in to the Microsoft Volume Licensing Service Center.
2. Select the Downloads and Keys tab at the top of the website.
3. Filter on product System Center Endpoint Protection (current branch) .
4. Click link to Download
5. Click Continue . You should see several files, including one named: System Center Endpoint Protection
(current branch - version 1606) for Linux OS and Macintosh OS Multilanguage 32/64 bit 1878 MB
ISO .
6. To download the file, click the arrow icon. The file name is
SW_DVD5_Sys_Ctr_Endpnt_Pr tctn_1606_MultiLang_-3_EptProt_Lin_Mac_MLF_X21-67050.ISO .
The January 2018 update (X21-67050) includes the following versions:
System Center Endpoint Protection for Mac 4.5.32.0 (support for macOS 10.13 High Sierra)
System Center Endpoint Protection for Linux 4.5.20.0
For more information about how to install and manage the Endpoint Protection clients for Linux and Mac
computers, use the documentation that accompanies these products. This product documentation is in the
Documentation folder of the .ISO file.
 Configure Endpoint Protection
4/20/2020 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Before you can use Endpoint Protection to manage security and malware on Configuration Manager client
computers, you must perform the configuration steps detailed in this article.

How to Configure Endpoint Protection in Configuration Manager

Endpoint Protection in Configuration Manager has external dependencies and dependencies in the product.
Steps to Configure Endpoint Protection in Configuration Manager
Use the following table for the steps, details, and more information about how to configure Endpoint Protection.

IMPORTANT
If you manage endpoint protection for Windows 10 computers, then you must configure Configuration Manager to update
and distribute malware definitions for Windows Defender. Windows Defender is included in Windows 10 but SCEPInstall must
still be installed and custom client settings for Endpoint Protection (Step 5 below) are still required.

Starting in Configuration Manager 1802, Windows 10 devices do not need to have the Endpoint Protection agent
(SCEPInstall) installed. If it is already installed on Windows 10 devices, Configuration Manager will not remove it.
Administrators can remove the Endpoint Protection agent on Windows 10 devices that are running at least the 1802 client
version. SCEPInstall.exe may still be present in C:\Windows\ccmsetup on some machines but should not be downloaded on
new client installations. Custom client settings for Endpoint Protection (Step 5 below) are still required.

ST EP S DETA IL S

Step 1: Create an Endpoint Protection point site system role The Endpoint Protection point site system role must be
installed before you can use Endpoint Protection. It must be
installed on one site system server only, and it must be
installed at the top of the hierarchy on a central
administration site or a stand-alone primary site.

Step 2: Configure alerts for Endpoint Protection Alerts inform the administrator when specific events have
occurred, such as a malware infection. Alerts are displayed in
the Aler ts node of the Monitoring workspace, or optionally
can be emailed to specified users.

Step 3: Configure definition update sources for Endpoint Endpoint Protection can be configured to use various sources
Protection clients to download definition updates.

Step 4: Configure the default antimalware policy and create The default antimalware policy is applied when the Endpoint
custom antimalware policies Protection client is installed. Any custom policies you have
deployed are applied by default, within 60 minutes of
deploying the client. Ensure that you have configured
antimalware policies before you deploy the Endpoint
Protection client.
ST EP S DETA IL S

Step 5: Configure custom client settings for Endpoint Use custom client settings to configure Endpoint Protection
Protection settings for collections of computers in your hierarchy.

Note: Do not configure the default Endpoint Protection client

settings unless you are sure that you want these settings
applied to all computers in your hierarchy.
 Create an Endpoint Protection point site system role
4/20/2020 • 3 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

The Endpoint Protection point site system role must be installed before you can use Endpoint Protection. It must be
installed on one site system server only, and it must be installed at the top of the hierarchy on a central
administration site or a stand-alone primary site.
Use one of the following procedures depending on whether you want to install a new site system server for
Endpoint Protection or use an existing site system server:
Install on a new site system server
Install on an existing site system server

IMPORTANT
When you install an Endpoint Protection point, an Endpoint Protection client is installed on the server hosting the Endpoint
Protection point. Services and scans are disabled on this client to enable it to co-exist with any existing antimalware solution
that is installed on the server. If you later enable this server for management by Endpoint Protection and select the option to
remove any third-party antimalware solution, the third-party product will not be removed. You must uninstall this product
manually.

New site system server

1. In the Configuration Manager console, click Administration .
2. In the Administration workspace, expand Site Configuration , and then click Ser vers and Site System
Roles .
3. On the Home tab, in the Create group, click Create Site System Ser ver .
4. On the General page, specify the general settings for the site system, and then click Next .
5. On the System Role Selection page, select Endpoint Protection point in the list of available roles, and
then click Next .
6. On the Endpoint Protection page, select the I accept the Endpoint Protection license terms check
box, and then click Next .

IMPORTANT
You cannot use Endpoint Protection in Configuration Manager unless you accept the license terms.

7. On the Cloud Protection Ser vice page, select the level of information that you want to send to Microsoft
to help develop new definitions, and then click Next .
 NOTE
This option configures the Cloud Protection Service (formerly known as Microsoft Active Protection Service or MAPS)
settings that are used by default. You can then configure custom settings for each antimalware policy you create. Join
Cloud Protection Service, to help to keep your computers more secure by supplying Microsoft with malware samples
that can help Microsoft to keep antimalware definitions more up-to-date. Additionally, when you join Cloud
Protection Service, the Endpoint Protection client can use the dynamic signature service to download new definitions
before they are published to Windows Update. For more information, see How to create and deploy antimalware
policies for Endpoint Protection.

8. Complete the wizard.

Existing site system server

1. In the Configuration Manager console, click Administration .
2. In the Administration workspace, expand Site Configuration , click Ser vers and Site System Roles ,
and then select the server that you want to use for Endpoint Protection.
3. On the Home tab, in the Ser ver group, click Add Site System Roles .
4. On the General page, specify the general settings for the site system, and then click Next .
5. On the System Role Selection page, select Endpoint Protection point in the list of available roles, and
then click Next .
6. On the Endpoint Protection page, select the I accept the Endpoint Protection license terms check
box, and then click Next .

IMPORTANT
You cannot use Endpoint Protection in Configuration Manager unless you accept the license terms.

7. On the Cloud Protection Ser vice page, select the level of information that you want to send to Microsoft
to help develop new definitions, and then click Next .

NOTE
This option configures the Cloud Protection Service settings (formerly known as MAPS) that are used by default. You
can configure custom settings for each antimalware policy you configure. For more information, see How to create
and deploy antimalware policies for Endpoint Protection.

8. Complete the wizard.

 Configure Alerts for Endpoint Protection in
Configuration Manager
4/22/2020 • 4 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

You can configure Endpoint Protection alerts in Microsoft Configuration Manager to notify administrative users
when specific events, such as a malware infection, occur in your hierarchy. Notifications display in the Endpoint
Protection dashboard in the Configuration Manager console in the Aler ts node of the Monitoring workspace, or
can be emailed to specified users.
Use the following steps and the supplemental procedures in this topic to configure alerts for Endpoint Protection
in Configuration Manager.

IMPORTANT
You must have the Enforce Security permission for collections to configure Endpoint Protection alerts.

Steps to Configure Alerts for Endpoint Protection in Configuration

Manager
1. In the Configuration Manager console, click Assets and Compliance .
2. In the Assets and Compliance workspace, click Device Collections .
3. In the Device Collections list, select the collection for which you want to configure alerts, and then on the
Home tab, in the Proper ties group, click Proper ties .

NOTE
You cannot configure alerts for user collections.

4. On the Aler ts tab of the <Collection Name> Proper ties dialog box, select View this collection in the
Endpoint Protection dashboard if you want to view details about antimalware operations for this
collection in the Monitoring workspace of the Configuration Manager console.

NOTE
This option is unavailable for the All Systems collection.

5. On the Aler ts tab of the <Collection Name> Proper ties dialog box, click Add .
6. In the Add New Collection Aler ts dialog box, in the Generate an aler t when these conditions apply
section, select the alerts that you want Configuration Manager to generate when the specified Endpoint
Protection events occur, and then click OK .
7. In the Conditions list of the Aler ts tab, select each Endpoint Protection alert, and then specify the
following information:
Aler t Name - Accept the default name or enter a new name for the alert.
 Aler t Severity - In the list, select the alert level to display in the Configuration Manager console.
8. Depending on the alert that you select, specify the following additional information:
Malware detection - This alert is generated if malware is detected on any computer in the
collection that you monitor. The Malware detection threshold specifies the malware detection
levels at which this alert is generated:
High - All detections - The alert is generated when there are one or more computers in the
specified collection on which any malware is detected, regardless of what action the Endpoint
Protection client takes.
Medium - Detected, pending action - The alert is generated when there is one or more
computers in the specified collection on which malware is detected, and you must manually
remove the malware.
Low - Detected, still active - The alert is generated when there are one or more computers
in the specified collection on which malware is detected and is still active.
Malware outbreak - This alert is generated if specified malware is detected on a specified
percentage of computers in the collection that you monitor.
Percentage of computers with malware detected - The alert is generated when the
percentage of computers with malware that is detected in the collection exceeds the
percentage that you specify. Specify a percentage from 1 through 99 .

NOTE
The percentage value is based on the number of computers in the collection, but excludes computers
that do not have a Configuration Manager client installed. It includes computers that do not yet have
the Endpoint Protection client installed.

Repeated malware detection - This alert is generated if specific malware is detected more than a
specified number of times over a specified number of hours on the computers in the collection that
you monitor. Specify the following information to configure this alert:
Number of times malware has been detected: - The alert is generated when the same
malware is detected on computers in the collection more than the specified number of times.
Specify a number from 2 through 32 .
Inter val for detection (hours): Specify the detection interval (in hours) in which the
number of malware detections must occur. Specify a number from 1 through 168 .
Multiple malware detection - This alert is generated if more than a specified number of malware
types are detected over a specified number of hours on computers in the collection that you monitor.
Specify the following information to configure this alert:
Number of malware types detected: The alert is generated when the specified number of
different malware types are detected on computers in the collection. Specify a number from 2
through 32 .
Inter val for detection (hours): Specify the detection interval, in hours, in which the
number of malware detections must occur. Specify a number from 1 through 168 .
9. Click OK to close the <Collection Name> Proper ties dialog box.

Alert for outdated malware client

Beginning with Configuration Manager version 1702, you can configure an alert to ensure Endpoint Protection
clients are not outdated. From any device collection, you can now add columns to the list for the following
attributes Antimalware Client Version and Endpoint Protection Deployment State . For example, in the
console navigate to Assets and Compliance > Over view > Device Collections > All Desktops and Ser ver
Clients . Right-click the column header and select those columns to add. To check for an alert, view Aler ts in the
Monitoring workspace. If more than 20% of managed clients are running an expired version of antimalware
software, the Antimalware client version is outdated alert is displayed. This alert doesn't appear on the
Monitoring > Over view tab. To update expired antimalware clients, enable software updates for antimalware
clients.
To configure the percentage at which the alert is generated, expand Monitoring > Aler ts > All Aler ts , double-
click Antimalware clients out of date and modify the Raise aler t if percentage of managed clients with
an outdated version of the antimalware client is more than option.
N E XT S TE P
>

BACK
>
 Configure definition updates for Endpoint Protection
4/20/2020 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

With Endpoint Protection in Configuration Manager, you can use any of several available methods to keep
antimalware definitions up to date on client computers in your hierarchy. The information in this topic can help you
to select and configure these methods.
To update antimalware definitions, you can use one or more of the following methods:
Updates distributed from Configuration Manager - This method uses Configuration Manager software
updates to deliver definition and engine updates to computers in your hierarchy.
Updates distributed from Windows Server Update Services (WSUS) - This method uses your WSUS
infrastructure to deliver definition and engine updates to computers.
Updates distributed from Microsoft Update - This method allows computers to connect directly to Microsoft
Update in order to download definition and engine updates. This method can be useful for computers that
are not often connected to the business network.
Updates distributed from Microsoft Malware Protection Center - This method will download definition
updates from the Microsoft Malware Protection Center.
Updates from UNC file shares - With this method, you can save the latest definition and engine updates to a
share on the network. Clients can then access the network to install the updates.
You can configure multiple definition update sources and control the order in which they are assessed and
applied. This is done in the Configure Definition Update Sources dialog box when you create an
antimalware policy.

IMPORTANT
For Windows 10 PCs, you must configure Endpoint Protection to update malware definitions for Windows Defender.

How to Configure Definition Update Sources

Use the following procedure to configure the definition update sources to use for each antimalware policy.
1. In the Configuration Manager console, click Assets and Compliance .
2. In the Assets and Compliance workspace, expand Endpoint Protection , and then click Antimalware
Policies .
3. Open the properties page of the Default Antimalware Policy or create a new antimalware policy. For
more information about how to create antimalware policies, see How to create and deploy antimalware
policies for Endpoint Protection.
4. In the Security Intelligence updates section of the antimalware properties dialog box, click Set Source .
The Definition updates section was renamed to Security Intelligence updates starting in
Configuration Manager version 1902.
5. In the Configure Definition Update Sources dialog box, select the sources to use for definition updates.
You can click Up or Down to modify the order in which these sources are used.
6. Click OK to close the Configure Definition Update Sources dialog box.

Configure Endpoint Protection definitions

Updates distributed from Configuration Manager - This method uses Configuration Manager software
updates to deliver definition and engine updates to computers in your hierarchy.
Updates distributed from Windows Server Update Services (WSUS) - This method uses your WSUS
infrastructure to deliver definition and engine updates to computers.
Updates distributed from Microsoft Update - This method allows computers to connect directly to Microsoft
Update in order to download definition and engine updates. This method can be useful for computers that
are not often connected to the business network.
Updates distributed from Microsoft Malware Protection Center - This method will download definition
updates from the Microsoft Malware Protection Center.
Updates from UNC file shares - With this method, you can save the latest definition and engine updates to a
share on the network. Clients can then access the network to install the updates.
 Use Configuration Manager to deliver definition
updates
4/24/2020 • 3 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

You can configure Configuration Manager software updates to automatically deliver definition updates to client
computers. Before you begin to create automatic deployment rules, make sure to configure Configuration
Manager software updates. For more information, see Introduction to software updates.

NOTE
This procedure is specific to Endpoint Protection. For more general information about automatic deployment rules, see
Automatically deploy software updates.

1. In the Configuration Manager console, go to the Software Librar y workspace. Expand Software
Updates , and then select Automatic Deployment Rules .
2. On the Home tab of the ribbon, in the Create group, select Create Automatic Deployment Rule .
3. On the General page of the Create Automatic Deployment Rule Wizard , specify the following
information:
Name : Enter a unique name for the automatic deployment rule.
Collection : Select the device collection to which you want to deploy definition updates.

NOTE
You can't deploy definition updates to a user collection.

4. Select Add to an existing Software Update Group .

5. Select Enable the deployment after this rule is run .
6. On the Deployment Settings page of the wizard, for the Detail level , select Only error messages .

NOTE
When you select Only error messages , it reduces the number of state messages that the definition deployment
sends. This configuration helps reduce the CPU processing on the Configuration Manager servers.

7. On the Software Updates page:

a. Select the Update Classification property filter. In the Search criteria list, select <items to
find> .
In the Search Criteria window, select Definition Updates , then select OK .
b. Select the Product property filter. In the Search criteria list, select <items to find> .
In the Search Criteria window, select System Center Endpoint Protection for Windows 8.1 and
 earlier or Windows Defender for Windows 10 and later, then select OK .

NOTE
Optionally, you can filter out superseded updates. Select the Superseded property filter. In the Search criteria list,
select <items to find> . In the Search Criteria window, select No , then select OK .

8. On the Evaluation Schedule page of the wizard, select Run the rule after any software update point
synchronization .
9. On the Deployment Schedule page of the wizard, configure the following settings:
Time based on : If you want all clients to install the latest definitions at the same time, select UTC .
The actual installation time will vary within two hours.
Software available time : Specify the available time for the deployment that this rule creates. The
specified time must be at least one hour after the automatic deployment rule runs. This configuration
makes sure that the content has sufficient time to replicate to the distribution points. Some definition
updates might also include antimalware engine updates, which might take longer to reach
distribution points.
Installation deadline : Select As soon as possible .

NOTE
Software update deadlines vary over a two-hour period. This behavior prevents all clients from requesting an
update at the same time.

10. On the User Experience page of the wizard, for User notifications , select Hide in Software Center
and all notifications . With this configuration, the definition updates install silently.
11. On the Deployment Package page of the wizard, select an existing deployment package or create a new
one.

NOTE
Consider placing definition updates in a package that doesn't contain other software updates. This strategy keeps the
size of the definition update package smaller, which allows it to replicate to distribution points more quickly.

12. If you create a new deployment package, on the Distribution Points page of the wizard, select one or
more distribution points. The site copies the content for this package to these distribution points.
13. On the Download Location page, select Download software updates from the Internet .
14. On the Language Selection page, select each language version of the updates to download.
15. On the Download Settings page, select the necessary software updates download behavior.
16. Complete the wizard.
Verify that the Automatic Deployment Rules node of the Configuration Manager console displays the new rule.
Create and deploy antimalware policies
 Enable Endpoint Protection malware definitions to
download from WSUS for Configuration Manager
4/24/2020 • 3 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

If you use WSUS to keep your antimalware definitions up to date, you can configure it to auto-approve definition
updates. Although using Configuration Manager software updates is the recommended method to keep definitions
up to date, you can also configure WSUS as a method to allow users to manually update definitions. Use the
following procedures to configure WSUS as a definition update source.

Synchronize definition updates for Configuration Manager

1. In the Configuration Manager console, go to the Administration workspace, expand Site Configuration ,
and then select Sites .
2. Select the site that contains your software update point. In the Settings group of the ribbon, select
Configure Site Components , and then select Software Update Point .
3. In the Software Update Point Component Proper ties window, switch to the Classifications tab. Select
Definition Updates .
4. To specify the Products updated with WSUS, switch to the Products tab.
For Windows 10 and later: Under Microsoft > Windows, select Windows Defender .
For Windows 8.1 and earlier: Under Microsoft > Forefront, select System Center Endpoint
Protection .
5. Select OK to close the Software Update Point Component Proper ties window.

Synchronize definition updates for standalone WSUS

Use the following procedure to configure Endpoint Protection updates when your WSUS server isn't integrated
into your Configuration Manager environment.
1. In the WSUS administration console, expand Computers , select Options , and then select Products and
Classifications .
2. To specify the Products updated with WSUS, switch to the Products tab.
For Windows 10 and later: Under Microsoft > Windows, select Windows Defender .
For Windows 8.1 and earlier: Under Microsoft > Forefront, select System Center Endpoint
Protection .
3. Switch to the Classifications tab. Select Definition Updates and Updates .

Approve definition updates

Endpoint Protection definition updates must be approved and downloaded to the WSUS server before they're
offered to clients that request the list of available updates. Clients connect to the WSUS server to check for
applicable updates and then request the latest approved definition updates.
Approve definitions and updates in WSUS
1. In the WSUS administration console, select Updates . Then select All Updates or the classification of
updates that you want to approve.
2. In the list of updates, right-click the update or updates you want to approve for installation, and then select
Approve .
3. In the Approve Updates window, select the computer group for which you want to approve the updates,
and then select Approved for Install .
Configure an automatic approval rule
You can also set an automatic approval rule for definition updates and Endpoint Protection updates. This action
configures WSUS to automatically approve Endpoint Protection definition updates downloaded by WSUS.
1. In the WSUS administration console, select Options , and then select Automatic Approvals .
2. On the Update Rules tab, select New Rule .
3. In the Add Rule window, under Step 1: Select proper ties , select the option: When an update is in a
specific classification .
a. Under Step 2: Edit the proper ties , select any classification .
b. Clear all options except Definition Updates , and then select OK .
4. In the Add Rule window, under Step 1: Select proper ties , select the option: When an update is in a
specific product .
a. Under Step 2: Edit the proper ties , select any product .
b. Clear all options except System Center Endpoint Protection for Windows 8.1 and earlier or
Windows Defender for Windows 10 and later. Then select OK .
5. Under Step 3: Specify a name , enter a name for the rule, and then select OK .
6. In the Automatic Approvals dialog box, select the newly created rule, and then select Run rule .

NOTE
To maximize performance on your WSUS server and client computers, decline old definition updates. To accomplish this task,
you can configure automatic approval for revisions and automatic declining of expired updates. For more information, see
Microsoft Support article 938947.

Create and deploy antimalware policies

 Enable Endpoint Protection malware definitions to
download from Microsoft Updates
4/20/2020 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

When you select to download definition updates from Microsoft Update, clients will check the Microsoft Update
site at the interval defined in the Security Intelligence updates section of the antimalware policy dialog box.
This method can be useful when the client does not have connectivity to the Configuration Manager site or when
you want users to be able to initiate definition updates.

IMPORTANT
Clients must have access to Microsoft Update on the Internet to be able to use this method to download definition
updates.
The Definition updates section was renamed to Security Intelligence updates starting in Configuration Manager
version 1902.

Using the Microsoft Malware Protection Center to Download

Definitions
You can configure clients to download definition updates from the Microsoft Malware Protection Center. This
option is used by Endpoint Protection clients to download definition updates if they have not been able to
download updates from another source. This update method can be useful if there is a problem with your
Configuration Manager infrastructure that prevents the delivery of updates.

IMPORTANT
Clients must have access to Microsoft Update on the Internet to be able use this method to download definition updates.

N E XT S TE P
>

BACK
>
 Use the Microsoft Malware Protection Center to
download definitions
4/20/2020 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

You can configure clients to download definition updates from the Microsoft Malware Protection Center. This
option is used by Endpoint Protection clients to download definition updates if they have not been able to
download updates from another source. This update method can be useful if there is a problem with your
Configuration Manager infrastructure that prevents the delivery of updates.

IMPORTANT
Clients must have access to Microsoft Update on the Internet to be able use this method to download definition updates.

N E XT S TE P
>

BACK
>
 Enable Endpoint Protection malware definitions to
download from a network share
4/20/2020 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

You can manually download the latest definition updates from Microsoft and then configure clients to download
these definitions from a shared folder on the network. Users can also initiate definition updates when you use this
update source.

NOTE
Clients must have read access to the shared folder to be able to download definition updates.

For more information about how to download the definition and engine updates to store on the file share, see
Install the latest Microsoft antimalware and antispyware software.

To configure definition downloads from a file share

1. In the Configuration Manager console, click Assets and Compliance .
2. In the Assets and Compliance workspace, expand Endpoint Protection , and then click Antimalware
Policies .
3. Open the properties page of the Default Antimalware Policy or create a new antimalware policy. For
more information about how to create antimalware policies, see How to create and deploy antimalware
policies for Endpoint Protection.
4. In the Security Intelligence updates section of the antimalware properties dialog box, click Set Source .
The Definition updates section was renamed to Security Intelligence updates starting in
Configuration Manager version 1902.
5. In the Configure Definition Update Sources dialog box, select Updates from UNC file shares .
6. Click OK to close the Configure Definition Update Sources dialog box.
7. Click Set Paths . Then, in the Configure Definition Update UNC Paths dialog box, add one or more UNC
paths to the location of the definition updates files on a network share.
8. Click OK to close the Configure Definition Update UNC Paths dialog box.
N E XT S TE P
>

BACK
>
 How to create and deploy antimalware policies for
Endpoint Protection in Configuration Manager
5/8/2020 • 13 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

You can deploy antimalware policies to collections of Configuration Manager client computers to specify how
Endpoint Protection protects them from malware and other threats. These policies include information about
the scan schedule, the types of files and folders to scan, and the actions to take when malware is detected.
When you enable Endpoint Protection, a default antimalware policy is applied to client computers. You can also
use one of the supplied policy templates or create a custom policy to meet the specific needs of your
environment.
Configuration Manager supplies a selection of predefined templates. These are optimized for various scenarios
and can be imported into Configuration Manager. These templates are available in the folder <ConfigMgr
Install Folder>\AdminConsole\XMLStorage\EPTemplates.

IMPORTANT
If you create a new antimalware policy and deploy it to a collection, this antimalware policy overrides the default
antimalware policy.

Use the procedures in this topic to create or import antimalware policies and assign them to Configuration
Manager client computers in your hierarchy.

NOTE
Before you perform these procedures, ensure that Configuration Manager is configured for Endpoint Protection as
described in Configuring Endpoint Protection.

Modify the default antimalware policy

1. In the Configuration Manager console, click Assets and Compliance .
2. In the Assets and Compliance workspace, expand Endpoint Protection , and then click
Antimalware Policies .
3. Select the antimalware policy Default Client Antimalware Policy and then, on the Home tab, in the
Proper ties group, click Proper ties .
4. In the Default Antimalware Policy dialog box, configure the settings that you require for this
antimalware policy, and then click OK .

NOTE
For a list of settings that you can configure, see List of Antimalware Policy Settings in this topic.

Create a new antimalware policy

1. In the Configuration Manager console, click Assets and Compliance .
2. In the Assets and Compliance workspace, expand Endpoint Protection , and then click
Antimalware Policies .
3. On the Home tab, in the Create group, click Create Antimalware Policy .
4. In the General section of the Create Antimalware Policy dialog box, enter a name and a description
for the policy.
5. In the Create Antimalware Policy dialog box, configure the settings that you require for this
antimalware policy, and then click OK . For a list of settings that you can configure, see List of
Antimalware Policy Settings.
6. Verify that the new antimalware policy is displayed in the Antimalware Policies list.

Import an antimalware policy

1. In the Configuration Manager console, click Assets and Compliance .
2. In the Assets and Compliance workspace, expand Endpoint Protection , and then click
Antimalware Policies .
3. In the Home tab, in the Create group, click Impor t .
4. In the Open dialog box, browse to the policy file to import, and then click Open .
5. In the Create Antimalware Policy dialog box, review the settings to use, and then click OK .
6. Verify that the new antimalware policy is displayed in the Antimalware Policies list.

Deploy an antimalware policy to client computers

1. In the Configuration Manager console, click Assets and Compliance .
2. In the Assets and Compliance workspace, expand Endpoint Protection , and then click
Antimalware Policies .
3. In the Antimalware Policies list, select the antimalware policy to deploy. Then, on the Home tab, in the
Deployment group, click Deploy .

NOTE
The Deploy option cannot be used with the default client malware policy.

4. In the Select Collection dialog box, select the device collection to which you want to deploy the
antimalware policy, and then click OK .

List of Antimalware Policy Settings

Many of the antimalware settings are self-explanatory. Use the following sections for more information about
the settings that might require more information before you configure them.
Scheduled Scans Settings
Scan Settings
Default Actions Settings
Real-time Protection Settings
Exclusion Settings
 Advanced Settings
Threat Overrides Settings
Cloud Protection Service
Definition Updates Settings
Scheduled Scans Settings
Scan type - You can specify one of two scan types to run on client computers:
Quick scan - This type of scan checks the in-memory processes and folders where malware is typically
found. It requires fewer resources than a full scan.
Full Scan - This type of scan adds a full check of all local files and folders to the items scanned in the
quick scan. This scan takes longer than a quick scan and uses more CPU processing and memory
resources on client computers.
In most cases, use Quick scan to minimize the use of system resources on client computers. If malware
removal requires a full scan, Endpoint Protection generates an alert that is displayed in the Configuration
Manager console. The default value is Quick scan .
Scan Settings
Scan email and email attachments - Set to Yes to turn on e-mail scanning.
Scan removable storage devices such as USB drives - Set to Yes to scan removable drives during full
scans.
Scan network files - Set to Yes to scan network files.
Scan mapped network drives when running a full scan - Set to Yes to scan any mapped network drives
on client computers. Enabling this setting might significantly increase the scan time on client computers.
The Scan network files setting must be set to Yes for this setting to be available to configure.
By default, this setting is set to No , meaning that a full scan will not access mapped network drives.
Scan archived files - Set to Yes to scan archived files such as .zip or .rar files.
Allow users to configure CPU usage during scans - Set to Yes to allow users to specify maximum
percentage of CPU utilization during a scan. Scans will not always use the maximum load defined by users, but
they cannot exceed it.
User control of scheduled scans - Specify level of user control. Allow users to set Scan time only or Full
control of antivirus scans on their devices.
Default Actions Settings
Select the action to take when malware is detected on client computers. The following actions can be applied,
depending on the alert threat level of the detected malware.
Recommended - Use the action recommended in the malware definition file.
Quarantine - Quarantine the malware but do not remove it.
Remove - Remove the malware from the computer.
Allow - Do not remove or quarantine the malware.
Real-time Protection Settings
 SET T IN G N A M E DESC RIP T IO N

Enable real-time protection Set to Yes to configure real-time protection settings for
client computers. We recommend that you enable this
setting.

Monitor file and program activity on your computer Set to Yes if you want Endpoint Protection to monitor when
files and programs start to run on client computers and to
alert you about any actions that they perform or actions
taken on them.

Scan system files This setting lets you configure whether incoming, outgoing,
or incoming and outgoing system files are monitored for
malware. For performance reasons, you might have to
change the default value of Scan incoming and
outgoing files if a server has high incoming or outgoing
file activity.

Enable behavior monitoring Enable this setting to use computer activity and file data to
detect unknown threats. When this setting is enabled, it
might increase the time required to scan computers for
malware.

Enable protection against network-based exploits Enable this setting to protect computers against known
network exploits by inspecting network traffic and blocking
any suspicious activity.

Enable script scanning For Configuration Manager with no service pack only.

Enable this setting if you want to scan any scripts that run
on computers for suspicious activity.

Block Potentially Unwanted Applications at Potential Unwanted Applications (PUA) is a threat

download and prior to installation classification based on reputation and research-driven
identification. Most commonly, these are unwanted
application bundlers or their bundled applications.

Beginning in version 1602 of Configuration Manager, this

protection policy setting is available and set to Yes by
default. When enabled, this setting blocks PUA at download
and install time. However, you can exclude specific files or
folders to meet the specific needs of your business or
organization.

Exclusion Settings
Excluded files and folders :
Click Set to open the Configure File and Folder Exclusions dialog box and specify the names of the files
and folders to exclude from Endpoint Protection scans.
If you want to exclude files and folders that are located on a mapped network drive, specify the name of each
folder in the network drive individually. For example, if a network drive is mapped as F:\MyFolder and it
contains subfolders named Folder1, Folder2 and Folder 3, specify the following exclusions:
F:\MyFolder\Folder1
F:\MyFolder\Folder2
F:\MyFolder\Folder3
 Beginning in version 1602, the existing Exclude files and folders setting in the Exclusion settings
section of an antimalware policy is improved to allow device exclusions. For example, you can now
specify the following as an exclusion: \device\mvfs (for Multiversion File System). The policy does not
validate the device path; the Endpoint Protection policy is provided to the antimalware engine on the
client which must be able to interpret the device string.
Excluded file types :
Click Set to open the Configure File Type Exclusions dialog box and specify the file extensions to exclude
from Endpoint Protection scans. You can use wildcards when defining items in the exclusion list. For more
information, see Use wildcards in the file name and folder path or extension exclusion lists
Excluded processes :
Click Set to open the Configure Process Exclusions dialog box and specify the processes to exclude from
Endpoint Protection scans. You can use wildcards when defining items in the exclusion list, however, there are
some limitations. For more information, see Use wildcards in the process exclusion list
Advanced Settings
Enable reparse point scanning - Set to Yes if you want Endpoint Protection to scan NTFS reparse points.
For more information about reparse points, see Reparse Points in the Windows Dev Center.
Randomize the scheduled scan star t times (within 30 minutes) - Set to Yes to help avoid flooding the
network, which can occur if all computers send their antimalware scans results to the Configuration Manager
database at the same time. For Windows Defender Antivirus, this randomizes the scan start time to any interval
from 0 to 4 hours, or for FEP and SCEP, to any interval plus or minus 30 minutes. This can be useful in VM or
VDI deployments. This setting is also useful when you run multiple virtual machines on a single host. Select this
option to reduce the amount of simultaneous disk access for antimalware scanning.
Beginning in version 1602 of Configuration Manager, the antimalware engine may request file samples to be
sent to Microsoft for further analysis. By default, it will always prompt before it sends such samples.
Administrators can now manage the following settings to configure this behavior:
Enable auto sample file submission to help Microsoft determine whether cer tain detected items
are Malicious - Set to Yes to enable auto sample file submission. By default, this setting is No which means
auto sample file submission is disabled and users are prompted before sending samples.
Allow users to modify auto sample file submission settings - This determines whether a user with local
admin rights on a device can change the auto sample file submission setting in the client interface. By default,
this setting is "No" which means it can only be changed from the Configuration Manager console, and local
admins on a device cannot change this configuration.
For example, the following shows this setting in Windows 10 set by the administrator as enabled, and greyed
out to prevent changes by the user.

Threat Overrides Settings

Threat name and override action - Click Set to customize the remediation action to take for each threat ID
when it is detected during a scan.
 NOTE
The list of threat names might not be available immediately after the configuration of Endpoint Protection. Wait until the
Endpoint Protection point has synchronized the threat information, and then try again.

Cloud Protection Service

Cloud Protection Service enables the collection of information about detected malware on managed systems
and the actions taken. This information is sent to Microsoft.
Cloud Protection Ser vice membership
Do not join Cloud Protection Ser vice - No information is sent
Basic - Collect and send lists of detected malware
Advanced - Basic information as well as more comprehensive information that could contain personal
information. For example, file paths and partial memory dumps.
Allow users to modify Cloud Protection Ser vice settings - Toggles user control of Cloud Protection
Service settings.
Level for blocking suspicious files - Specify the level at which the Endpoint Protection Cloud Protection
Service will block suspicious files.
Normal - The default Windows Defender blocking level
High - Aggressively blocks unknown files while optimizing for performance (greater chance of blocking
non-harmful files)
High with extra protection - Aggressively blocks unknown files and applies additional protection
measures (might impact client device performance)
Block unknown programs - Blocks all unknown programs
Allow extended cloud check to block and scan for up to (seconds) - Specifies the number of seconds
Cloud Protection Service can block a file while the service checks that the file is not known to be malicious.

NOTE
The number of seconds that you select for this setting is in addition to a default 10-second timeout. For example, if you
enter 0 seconds, the Cloud Protection Service blocks the file for 10 seconds.

Details of Cloud Protection Service reporting

F REQ UEN C Y DATA C O L L EC T ED O R SEN T USE O F DATA

When Windows Defender updates - Version of virus and spyware Microsoft uses this information to
virus and spyware protection or definitions ensure the latest virus and spyware
definition files - Virus and spyware protection version updates are present on computers. If
not present, Windows Defender
updates automatically so computer
protection stays up-to-date.
 F REQ UEN C Y DATA C O L L EC T ED O R SEN T USE O F DATA

If Windows Defender finds potentially - Name of potentially harmful or Windows Defender uses this
harmful or unwanted software on unwanted software information to determine the type and
computers - How the software was found severity of potentially unwanted
- Any actions that Windows Defender software, and the best action to take.
took to deal with the software Microsoft also uses this information to
- Files affected by the software help improve the accuracy of virus and
- Information about the computer spyware protection.
from the manufacturer (Sysconfig,
SysModel, SysMarker)

Once a month - Virus and spyware definition update Windows Defender uses this
status information to verify that computers
- Status of real-time virus and spyware have the latest virus and spyware
monitoring (on or off) protection version and definitions.
Microsoft also wants to make sure
that real-time virus and spyware
monitoring is turned on. This is a
critical part of helping protect
computers from potentially harmful or
unwanted software.

During installation, or whenever users List of running processes in your To identify any processes that might
manually perform virus and spyware computer's memory have been compromised by potentially
scan of your computer harmful software.

Microsoft collects only the names of affected files, not the contents of the files themselves. This information
helps determine what systems are especially vulnerable to specific threats.
Definition Updates Settings
Set sources and order for Endpoint Protection client updates - Click Set Source to specify the sources
for definition and scanning engine updates. You can also specify the order in which these sources are used. If
Configuration Manager is specified as one of the sources, then the other sources are used only if software
updates fail to download the client updates.
If you use any of the following methods to update the definitions on client computers, then the client
computers must be able to access the Internet.
Updates distributed from Microsoft Update
Updates distributed from Microsoft Malware Protection Center

IMPORTANT
Clients download definition updates by using the built-in system account. You must configure a proxy server for this
account to enable these clients to connect to the Internet.
If you have configured a software updates automatic deployment rule to deliver definition updates to client computers,
these updates will be delivered regardless of the definition updates settings.

N E XT S TE P
>

BACK
>
 Configure custom client settings for Endpoint
Protection
4/20/2020 • 5 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

This procedure configures custom client settings for Endpoint Protection, which you can deploy to collections of
devices in your hierarchy.

IMPORTANT
Only configure the default Endpoint Protection client settings if you're sure that you want them applied to all computers in
your hierarchy.

To enable Endpoint Protection and configure custom client settings

1. In the Configuration Manager console, click Administration .
2. In the Administration workspace, click Client Settings .
3. On the Home tab, in the Create group, click Create Custom Client Device Settings .
4. In the Create Custom Client Device Settings dialog box, provide a name and a description for the
group of settings, and then select Endpoint Protection .
5. Configure the Endpoint Protection client settings that you require. For a full list of Endpoint Protection client
settings that you can configure, see the Endpoint Protection section in About client settings.

IMPORTANT
Install the Endpoint Protection site system role before you configure client settings for Endpoint Protection.

6. Click OK to close the Create Custom Client Device Settings dialog box. The new client settings are
displayed in the Client Settings node of the Administration workspace.
7. Next, deploy the custom client settings to a collection. Select the custom client settings you want to deploy.
In the Home tab, in the Client Settings group, click Deploy .
8. In the Select Collection dialog box, choose the collection to which you want to deploy the client settings
and then click OK . The new deployment is shown in the Deployments tab of the details pane.
Clients are configured with these settings when they next download client policy. For more information, see Initiate
policy retrieval for a Configuration Manager client.

How to provision the Endpoint Protection client in a disk image

Install the Endpoint Protection client on a computer that you intend to use as a disk image source for
Configuration Manager OS deployment. This computer is typically called the reference computer. After you create
the OS image, then use Configuration Manager OS deployment to deploy the image.
 IMPORTANT
Windows 10 and Windows Server 2016 have Windows Defender installed by default. You don't need this procedure on
those versions of Windows.

Use the following procedures to help you install and configure the Endpoint Protection client on a reference
computer.
Prerequisites
The following list contains the required prerequisites for installing the Endpoint Protection client software on a
reference computer.
You must have access to the Endpoint Protection client installation package, scepinstall.exe . Find this
package in the Client folder of the Configuration Manager installation folder on the site server.
To deploy the Endpoint Protection client with your organization's required configuration, create and export
an antimalware policy. Then specify this policy when you manually install the Endpoint Protection client. For
more information, see How to create and deploy antimalware policies.

NOTE
You can't export the Default Client Antimalware Policy .

If you want to install the Endpoint Protection client with the latest definitions, download them from
Windows Defender Security Intelligence.

NOTE
Starting in Configuration Manager 1802, you don't need to install the Endpoint Protection agent (SCEPInstall) on Windows
10 devices. If it's already installed on Windows 10 devices, Configuration Manager doesn't remove it. Administrators can
remove the Endpoint Protection agent on Windows 10 devices that are running at least the 1802 client version.
SCEPInstall.exe may still be present in C:\Windows\ccmsetup on some machines, but new client installations shouldn't
download it.

How to install the Endpoint Protection client on the reference computer

Install the Endpoint Protection client locally on the reference computer from a command prompt. First get the
installation file scepinstall.exe . For more information, see Install the Endpoint Protection client from a command
prompt.
If necessary, also include a preconfigured antimalware policy or with an antimalware policy that you previously
exported.

To install the Endpoint Protection client from a command prompt

1. Copy scepinstall.exe from the Client folder of the Configuration Manager installation folder to the
computer on which you want to install the Endpoint Protection client software.
2. Open a command prompt as an administrator. Change directory to the folder with the installer. Then run
scepinstall.exe , adding any additional command-line properties that you require:

P RO P ERT Y DESC RIP T IO N

/s Run the installer silently

 P RO P ERT Y DESC RIP T IO N

/q Extract the setup files silently

/i Run the installer normally

/policy Specify an antimalware policy file to configure the client

during installation

/sqmoptin Opt-in to the Microsoft Customer Experience

Improvement Program (CEIP)

3. Follow the on-screen instructions to complete the client installation.

4. If you downloaded the latest update definition package, copy the package to the client computer, and then
double-click the definition package to install it.

NOTE
After the Endpoint Protection client install completes, the client automatically performs a definition update check. If
this update check succeeds, you don't have to manually install the latest definition update package.

Example: install the client with an antimalware policy

scepinstall.exe /policy <full path>\<policy file>

Verify the Endpoint Protection client installation

After you install the Endpoint Protection client on your reference computer, verify that the client is working
correctly.
1. On the reference computer, open System Center Endpoint Protection from the Windows notification
area.
2. On the Home tab of the System Center Endpoint Protection dialog box, verify that Real-time
protection is set to On .
3. Verify that Up-to-date is displayed for Virus and spyware definitions .
4. To make sure that your reference computer is ready for imaging, under Scan options , select Full , and then
click Scan now .

Prepare the Endpoint Protection client for imaging

Perform the following steps to prepare the Endpoint Protection client for imaging:
1. On the reference computer, sign in as an administrator.
2. Download and install PsExec from Windows SysInternals.
3. Run a command prompt as an administrator, change directory to the folder where you installed PsTools,
and then type the following command:
psexec.exe -s -i regedit.exe
 IMPORTANT
Use caution when you run the Registry Editor in this manner. PsExec.exe runs it in the LocalSystem context.

4. In the Registry Editor, delete the following registry keys:

IMPORTANT
Delete these registry keys as the last step before imaging the reference computer. The Endpoint Protection client
recreates these keys when it starts. If you restart the reference computer, delete the registry keys again.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware\InstallTime

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware\Scan\LastScanRun

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware\Scan\LastScanType

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware\Scan\LastQuickScanID

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware\Scan\LastFullScanID

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemovalTools\MRT\GUID

You're now ready to prepare the reference computer for imaging.

When you deploy an OS image that contains the Endpoint Protection client, it automatically reports information to
the device's assigned Configuration Manager site. The client downloads and applies any targeted antimalware
policy.

See also
For more information about OS deployment in Configuration Manager, see Manage OS images.
 Create and deploy Windows Firewall policies for
Endpoint Protection in Configuration Manager
4/20/2020 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Firewall policies for Endpoint Protection in Configuration Manager let you perform basic Windows Firewall
configuration and maintenance tasks on client computers in your hierarchy. You can use Windows Firewall policies
to perform the following tasks:
Control whether Windows Firewall is turned on or off.
Control whether incoming connections are allowed to client computers.
Control whether users are notified when Windows Firewall blocks a new program.
1. In the Configuration Manager console, click Assets and Compliance .
2. In the Assets and Compliance workspace, expand Endpoint Protection , and then click Windows
Firewall Policies .
3. On the Home tab, in the Create group, click Create Windows Firewall Policy .
4. On the General page of the Create Windows Firewall Policy Wizard , specify a name and an optional
description for this firewall policy, and then click Next .
5. On the Profile Settings page of the wizard, configure the following settings for each network profile:

NOTE
For more information about network profiles, see the Windows documentation.

Enable Windows Firewall

NOTE
If Enable Windows Firewall is not enabled, the other settings on this page of the wizard are unavailable.

Block all incoming connections, including those in the list of allowed programs
Notify the user when Windows Firewall blocks a new program
6. On the Summar y page of the wizard, review the actions to be taken, and then complete the wizard.
7. Verify that the new Windows Firewall policy is displayed in the Windows Firewall Policies list.

To deploy a Windows Firewall policy

1. In the Configuration Manager console, click Assets and Compliance .
2. In the Assets and Compliance workspace, expand Endpoint Protection , and then click Windows
Firewall Policies .
3. In the Windows Firewall Policies list, select the Windows Firewall policy that you want to deploy.
4. On the Home tab, in the Deployment group, click Deploy .
5. In the Deploy Windows Firewall Policy dialog box, specify the collection to which you want to assign
this Windows Firewall policy, and specify an assignment schedule. The Windows Firewall policy evaluates
for compliance by using this schedule and the Windows Firewall settings on clients to reconfigure to match
the Windows Firewall policy.
6. Click OK to close the Deploy Windows Firewall Policy dialog box and to deploy the Windows Firewall
policy.

IMPORTANT
When you deploy a Windows Firewall policy to a collection, this policy is applied to computers in a random order
over a 2 hour period to avoid flooding the network.
 Microsoft Defender Advanced Threat Protection
7/7/2020 • 8 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Endpoint Protection can help manage and monitor Microsoft Defender Advanced Threat Protection (ATP) (formerly
known as Windows Defender ATP). Microsoft Defender ATP helps enterprises detect, investigate, and respond to
advanced attacks on their networks. Configuration Manager policies can help you onboard and monitor Windows
10 clients.
Microsoft Defender ATP is a service in the Microsoft Defender Security Center. By adding and deploying a client
onboarding configuration file, Configuration Manager can monitor deployment status and Microsoft Defender ATP
agent health. Microsoft Defender ATP is supported on PCs running the Configuration Manager client or managed
by Microsoft Intune.

Prerequisites
Subscription to the Microsoft Defender Advanced Threat Protection online service
Clients computers running the Configuration Manager client
Clients using an OS listed in the Supported client operating systems section below.
Supported client operating systems
Based on the version of Configuration Manager you're running, the following client operating systems can be
onboarded:
Configuration Manager version 1910 and prior
Clients computers running Windows 10, version 1607 and later
Configuration Manager version 2002 and later
Starting in Configuration Manager version 2002, you can onboard the following operating systems:
Windows 8.1
Windows 10, version 1607 or later
Windows Server 2012 R2
Windows Server 2016
Windows Server 2016, version 1803 or later
Windows Server 2019

About onboarding to ATP with Configuration Manager

Different operating systems have different needs for onboarding to ATP. Windows 8.1 and other down-level
operating system devices need the Workspace key and Workspace ID to onboard. Up-level devices, such as
Windows Server version 1803, need the onboarding configuration file. Configuration Manager also installs the
Microsoft Monitoring Agent (MMA) when needed by onboarded devices but it doesn't update the agent
automatically.
Up-level operating systems include:
Windows 10, version 1607 and later
Windows Server 2016, version 1803 or later
Windows Server 2019
Down-level operating systems include:
Windows 8.1
Windows Server 2012 R2
Windows Server 2016, version 1709 and earlier
When you onboard devices to ATP with Configuration Manager, you deploy the ATP policy to a target collection or
multiple collections. Sometimes the target collection contains devices running any number of the supported
operating systems. The instructions for onboarding these devices vary based on if you're targeting a collection
containing devices with operating systems that are up-level, down-level, or both.
If your target collection contains both up-level and down-level devices, then use the instructions to onboard
devices running any supported operating system (recommended).
If your collection contains only up-level devices, then you can use the up-level onboarding instructions.
If your collection contains only down-level devices, then you can use the down-level onboarding instructions.

WARNING
If your target collection contains up-level devices, and you use the instructions for down-level devices, then the up-level
devices won't be onboarded.
If your target collection contains down-level devices, and you use the instructions for up-level devices, then the down-
level devices won't be onboarded.

Onboard devices with any supported operating system to ATP

(recommended)
You can onboard devices running any of the supported operating systems to ATP by providing the configuration
file, Workspace key , and Workspace ID to Configuration Manager.
Get the configuration file, Workspace ID, and Workspace key
1. Go to the Microsoft Defender ATP online service and sign in.
2. Select Settings , then select Onboarding under the Device management heading.
3. For the operating system, select Windows 10 .
4. Choose Microsoft Endpoint Configuration Manager current branch and later for the deployment
method.
5. Click Download package .
6. Download the compressed archive (.zip) file and extract the contents.
7. Select Settings , then select Onboarding under the Device management heading.
8. For the operating system, select either Windows 7 SP1 and 8.1 or Windows Ser ver 2008 R2 Sp1,
2012 R2 and 2016 from the list.
The Workspace key and Workspace ID will be the same regardless of which of these options you
choose.
9. Copy the values for the Workspace key and Workspace ID from the Configure connection section.

IMPORTANT
The Microsoft Defender ATP configuration file contains sensitive information which should be kept secure.

Onboard the devices

1. In the Configuration Manager console, navigate to Assets and Compliance > Endpoint Protection >
Microsoft Defender ATP Policies .
2. Select Create Microsoft Defender ATP Policy to open the Microsoft Defender ATP Policy Wizard.
3. Type the Name and Description for the Microsoft Defender ATP policy and select Onboarding .
4. Browse to the configuration file you extracted from the downloaded .zip file.
5. Supply the Workspace key and Workspace ID then click Next .
6. Specify the file samples that are collected and shared from managed devices for analysis.
None
All file types
7. Review the summary and complete the wizard.
8. Right-click on the policy you created, then select Deploy to target the Microsoft Defender ATP policy to
clients.

Onboard devices running up-level operating systems to ATP

Up-level clients require an onboarding configuration file for onboarding to ATP. Up-level operating systems
include:
Windows 10, version 1607 and later
Windows Server 2016, version 1803 and later
Windows Server 2019
If your target collection contains both up-level and down-level devices, or if you're not sure, then use the
instructions to onboard devices running any supported operating system (recommended).
Get an onboarding configuration file for up-level devices
1. Go to the Microsoft Defender ATP online service and sign in.
2. Select Settings , then select Onboarding under the Device management heading.
3. For the operating system, select Windows 10 .
4. Choose Microsoft Endpoint Configuration Manager current branch and later for the deployment
method.
5. Click Download package .
6. Download the compressed archive (.zip) file and extract the contents.

IMPORTANT
The Microsoft Defender ATP configuration file contains sensitive information which should be kept secure.

Onboard the up-level devices

1. In the Configuration Manager console, navigate to Assets and Compliance > Endpoint Protection >
Microsoft Defender ATP Policies and select Create Microsoft Defender ATP Policy . The Microsoft
Defender ATP Policy Wizard opens.
2. Type the Name and Description for the Microsoft Defender ATP policy and select Onboarding .
3. Browse to the configuration file you extracted from the downloaded .zip file.

NOTE
For Configuration Manager version 2002, you'll need the Workspace key and Workspace ID even if you're
onboarding only up-level devices. Get these values by selecting Settings > Onboarding > Windows 7 and 8.1
from the Microsoft Defender ATP online service.

4. Specify the file samples that are collected and shared from managed devices for analysis.
None
All file types
5. Review the summary and complete the wizard.
6. Right-click on the policy you created, then select Deploy to target the Microsoft Defender ATP policy to clients.

Onboard devices running down-level operating systems to ATP

Down-level clients require Workspace key and Workspace ID for ATP onboarding. Down-level operating
systems include:
Windows 8.1
Windows Server 2012 R2
Windows Server 2016, version 1709 and earlier
If your target collection contains both up-level and down-level devices, or if you're not sure, then use the
instructions to onboard devices running any supported operating system (recommended).
Get the Workspace ID and Workspace key for down-level devices
1. Go to the Microsoft Defender ATP online service and sign in.
2. Select Settings , then select Onboarding under the Device management heading.
3. For the operating system, select either Windows 7 SP1 and 8.1 or Windows Ser ver 2008 R2 Sp1, 2012
R2 and 2016 from the list.
The Workspace key and Workspace ID will be the same regardless of which of these options you
choose.
4. Copy the values for the Workspace key and Workspace ID from the Configure connection section.
Onboard the down-level devices
1. In the Configuration Manager console, navigate to Assets and Compliance > Endpoint Protection >
Microsoft Defender ATP Policies and select Create Microsoft Defender ATP Policy . The Microsoft
Defender ATP Policy Wizard opens.
2. Type the Name and Description for the Microsoft Defender ATP policy and select Onboarding .
3. Provide the Workspace key and Workspace ID .

NOTE
For Configuration Manager version 2002, you'll need the configuration file even if you're onboarding only down-
level devices. Get these values by selecting Settings > Onboarding > Windows 10 from the Microsoft
Defender ATP online service.
The Microsoft Defender ATP configuration file contains sensitive information which should be kept secure.

4. Specify the file samples that are collected and shared from managed devices for analysis.
None
All file types
5. Review the summary and complete the wizard.
6. Right-click on the policy you created, then select Deploy to target the Microsoft Defender ATP policy to clients.

Monitor
1. In the Configuration Manager console, navigate Monitoring > Security and then select Microsoft
Defender ATP .
2. Review the Microsoft Defender Advanced Threat Protection dashboard.
Microsoft Defender ATP Agent Onboarding Status : The number and percentage of eligible
managed client computers with active Microsoft Defender ATP policy onboarded
Microsoft Defender ATP Agent Health : Percentage of computer clients reporting status for their
Microsoft Defender ATP agent
Healthy - Working properly
Inactive - No data sent to service during time period
Agent state - The system service for the agent in Windows isn't running
Not onboarded - Policy was applied but the agent hasn't reported policy onboard

Create an offboarding configuration file

1. Sign in to the Microsoft Defender ATP online service.
2. Select Settings , then select Offboarding under the Device management heading.
3. Select Windows 10 for the operating system and Microsoft Endpoint Configuration Manager
current branch and later for the deployment method.
Using the Windows 10 option ensures that all devices in the collection are offboarded and the MMA is
uninstalled when needed.
4. Download the compressed archive (.zip) file and extract the contents. Offboarding files are valid for 30 days.
5. In the Configuration Manager console, navigate to Assets and Compliance > Endpoint Protection >
Microsoft Defender ATP Policies and select Create Microsoft Defender ATP Policy . The Microsoft
Defender ATP Policy Wizard opens.
6. Type the Name and Description for the Microsoft Defender ATP policy and select Offboarding .
7. Browse to the configuration file you extracted from the downloaded .zip file.
8. Review the summary and complete the wizard.
Select Deploy to target the Microsoft Defender ATP policy to clients.

IMPORTANT
The Microsoft Defender ATP configuration files contains sensitive information which should be kept secure.

Next steps
Microsoft Defender Advanced Threat Protection
Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues
 Create and deploy an Exploit Guard policy
4/20/2020 • 4 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

You can configure and deploy Configuration Manager policies that manage all four components of Windows
Defender Exploit Guard. These components include:
Attack Surface Reduction
Controlled folder access
Exploit protection
Network protection
Compliance data for Exploit Guard policy deployment is available from within the Configuration Manager console.

NOTE
Configuration Manager doesn't enable this optional feature by default. You must enable this feature before using it. For more
information, see Enable optional features from updates.

Prerequisites
Managed devices must run Windows 10 1709 Fall Creators Update or later and satisfy the following requirements
depending on the components and rules configured:

EXP LO IT GUA RD C O M P O N EN T A DDIT IO N A L P REREQ UISIT ES

Attack Surface Reduction Devices must have Microsoft Defender ATP always-on
protection enabled.

Controlled folder access Devices must have Microsoft Defender ATP always-on
protection enabled.

Exploit protection None

Network protection Devices must have Microsoft Defender ATP always-on

protection enabled.

Create an Exploit Guard policy

1. In the Configuration Manager console, go to Assets and compliance > Endpoint Protection , and then
click Windows Defender Exploit Guard .
2. On the Home tab, in the Create group, click Create Exploit Policy .
3. On the General page of the Create Configuration Item Wizard , specify a name, and optional description
for the configuration item.
4. Next, select the Exploit Guard components you want to manage with this policy. For each component you
select, you can then configure additional details.
 Attack Surface Reduction: Configure the Office threat, scripting threats, and email threats you want to
block or audit. You can also exclude specific files or folders from this rule.
Controlled folder access: Configure blocking or auditing, and then add Apps that can bypass this
policy. You can also specify additional folders that are not protected by default.
Exploit protection: Specify an XML file that contains settings for mitigating exploits of system processes
and apps. You can export these settings from the Windows Defender Security Center app on a Windows
10 device.
Network protection: Set network protection to block or audit access to suspicious domains.
5. Complete the wizard to create the policy, which you can later deploy to devices.

WARNING
The XML file for exploit protection should be kept secure when transferring it between machines. The file should be
deleted after import or kept in a secure location.

Deploy an Exploit Guard policy

After you create Exploit Guard policies, use the Deploy Exploit Guard Policy wizard to deploy them. To do so, open
the Configuration Manager console to Assets and compliance > Endpoint Protection , and then click Deploy
Exploit Guard Policy .

Windows Defender Exploit Guard policy settings

Attack Surface Reduction policies and options
Attack Surface Reduction can reduce the attack surface of your applications with intelligent rules that stop the
vectors used by Office, script, and mail-based malware. Learn more about Attack Surface Reduction and the Event
IDs used for it.
Files and Folders to exclude from Attack Surface Reduction rules - Click on Set and specify any files
or folders to exclude.
Email Threats:
Block executable content from email client and webmail.
Not configured
Block
Audit
Office Threats:
Block Office application from creating child processes.
Not configured
Block
Audit
Block Office applications from creating executable content.
Not configured
Block
Audit
Block Office applications from injecting code into other processes.
Not configured
Block
Audit
Block Win32 API calls from Office macros.
 Not configured
Block
Audit
Scripting Threats:
Block JavaScript or VBScript from launching downloaded executable content.
Not configured
Block
Audit
Block execution of potentially obfuscated scripts.
Not Configured
Block
Audit
Ransomware threats: (starting in Configuration Manager version 1802)
Use advanced protection against ransomware.
Not configured
Block
Audit
Operating system threats: (starting in Configuration Manager version 1802)
Block credential stealing from the Windows local security authority subsystem.
Not configured
Block
Audit
Block executable files from running unless they meet a prevalence, age, or trusted list criteria.
Not configured
Block
Audit
External device threats: (starting in Configuration Manager version 1802)
Block untrusted and unsigned processes that run from USB.
Not configured
Block
Audit
Controlled folder access policies and options
Helps protect files in key system folders from changes made by malicious and suspicious apps, including file-
encrypting ransomware malware. For more information, see Controlled folder access and the Event IDs it uses.
Configure Controlled folder access:
Block
Block disk sectors only (starting in Configuration Manager version 1802)
Allows Controlled folder access to be enabled for boot sectors only and does not enable the
protection of specific folders or the default protected folders.
Audit
Audit disk sectors only (starting in Configuration Manager version 1802)
Allows Controlled folder access to be enabled for boot sectors only and does not enable the
protection of specific folders or the default protected folders.
Disabled
 Allow apps through Controlled folder access -Click on Set and specify apps.
Additional protected folders -Click on Set and specify additional protected folders.
Exploit protection policies
Applies exploit mitigation techniques to operating system processes and apps your organization uses. These
settings can be exported from the Windows Defender Security Center app on Windows 10 devices. For more
information, see Exploit protection.
Exploit protection XML: -Click on Browse and specify the XML file to import.

WARNING
The XML file for exploit protection should be kept secure when transferring it between machines. The file should be
deleted after import or kept in a secure location.

Network protection policy

Helps minimize the attack surface on devices from internet-based attacks. The service restricts access to suspicious
domains that might host phishing scams, exploits, and malicious content. For more information, see Network
protection.
Configure Network protection:
Block
Audit
Disabled
 Create and deploy Microsoft Defender Application
Guard policy
7/7/2020 • 3 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

You can create and deploy Microsoft Defender Application Guard (Application Guard) policies by using the
Configuration Manager endpoint protection. These policies help protect your users by opening untrusted web sites
in a secure isolated container that isn't accessible by other parts of the operating system.

Prerequisites
To create and deploy a Microsoft Defender Application Guard policy, you must use the Windows 10 Fall Creator's
Update (1709). The Windows 10 devices to which you deploy the policy must be configured with a network
isolation policy. For more information, see the Microsoft Defender Application Guard overview.

Create a policy, and to browse the available settings

1. In the Configuration Manager console, choose Assets and Compliance .
2. In the Assets and Compliance workspace, choose Over view > Endpoint Protection > Windows
Defender Application Guard .
3. In the Home tab, in the Create group, click Create Windows Defender Application Guard Policy .
4. Using the article as a reference, you can browse and configure the available settings. Configuration Manager
allows you to set certain policy settings:
Host interaction settings
Application behavior
File management
5. On the Network Definition page, specify the corporate identity, and define your corporate network
boundary.

NOTE
Windows 10 PCs store only one network isolation list on the client. You can create two different kinds of network
isolation lists and deploy them to the client:
one from Windows Information Protection
one from Microsoft Defender Application Guard
If you deploy both policies, these network isolation lists must match. If you deploy lists that don't match to the same
client, the deployment will fail. For more information, see the Windows Information Protection documentation.

6. When you're finished, complete the wizard, and deploy the policy to one or more Windows 10 1709 devices.
Host interaction settings
Configures interactions between host devices and the Application Guard container. Before Configuration Manager
version 1802, both application behavior and host interaction were under the Settings tab.
Clipboard - Under settings prior to Configuration Manager 1802
 Permitted content type
Text
Images
Printing:
Enable printing to XPS
Enable printing to PDF
Enable printing to local printers
Enable printing to network printers
Graphics: (starting with Configuration Manager version 1802)
Virtual graphics processor access
Files: (starting with Configuration Manager version 1802)
Save downloaded files to host
Application behavior settings
Configures application behavior inside the Application Guard session. Before Configuration Manager version 1802,
both application behavior and host interaction were under the Settings tab.
Content:
Enterprise sites can load non-enterprise content, such as third-party plug-ins.
Other :
Retain user-generated browser data
Audit security events in the isolated application guard session
File management
Starting in Configuration Manager version 1906, There's a policy setting that enables users to trust files that
normally open in Application Guard. Upon successful completion, the files will open on the host device instead of in
Application Guard. For more information about the Application Guard policies, see Configure Microsoft Defender
Application Guard policy settings.
Allow users to trust files that open in Windows Defender Application Guard - Enable the user to mark
files as trusted. When a file is trusted, it opens on the host rather than in Application Guard. Applies to Windows
10 version 1809 or higher clients.
Prohibited: Don't allow users to mark files as trusted (default).
File checked by antivirus: Allow users to mark files as trusted after an antivirus check.
All files: Allow users to mark any file as trusted.
When you enable file management, you may see errors logged in the client's DCMReporting.log. The errors below
typically don't effect functionality:
On compatible devices:
FileTrustCriteria_condition not found
On non-compatible devices:
FileTrustCriteria_condition not found
FileTrustCriteria_condition could not be located in the map
FileTrustCriteria_condition not found in digest
To edit Application Guard settings, expand Endpoint Protection in the Assets and Compliance workspace, then
click on the Windows Defender Application Guard node. Right-click on the policy you want to edit, then select
Proper ties .

Known issues
Devices running Windows 10, version 2004 will show failures in compliance reporting for Microsoft Defender
Application Guard File Trust Criteria. This issue occurs because some subclasses were removed from the WMI class
MDM_WindowsDefenderApplicationGuard_Settings01 in Windows 10, version 2004. All other Microsoft Defender
Application Guard settings will still apply, only File Trust Criteria will fail. Currently, there are no workarounds to
bypass the error.

Next steps
For more information about Microsoft Defender Application Guard, see
Microsoft Defender Application Guard Overview.
Microsoft Defender Application Guard FAQ.
 Windows Defender Application Control management
with Configuration Manager
4/28/2020 • 8 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Introduction
Windows Defender Application Control is designed to protect PCs against malware and other untrusted software. It
prevents malicious code from running by ensuring that only approved code, that you know, can be run.
Windows Defender Application Control is a software-based security layer that enforces an explicit list of software
that is allowed to run on a PC. On its own, Application Control does not have any hardware or firmware
prerequisites. Application Control policies deployed with Configuration Manager enable a policy on PCs in targeted
collections that meet the minimum Windows version and SKU requirements outlined in this article. Optionally,
hypervisor-based protection of Application Control policies deployed through Configuration Manager can be
enabled through Group Policy on capable hardware.
To learn more about Windows Defender Application Control, read the Windows Defender Application Control
deployment guide.

NOTE
Beginning with Windows 10, version 1709, configurable code integrity policies are known as Windows Defender
Application Control.
Beginning in Configuration Manager version 1710, Device Guard policies have been renamed to Windows Defender
Application Control policies.

Using Windows Defender Application Control with Configuration

Manager
You can use Configuration Manager to deploy a Windows Defender Application Control policy. This policy lets you
configure the mode in which Windows Defender Application Control runs on PCs in a collection.
You can configure one of the following modes:
1. Enforcement enabled - Only trusted executables are allowed to run.
2. Audit only - Allow all executables to run, but log untrusted executables that run in the local client event log.

TIP
This feature was first introduced in version 1702 as a pre-release feature. Beginning with version 1906, it's no longer a pre-
release feature.

What can run when you deploy a Windows Defender Application

Control policy?
Windows Defender Application Control lets you strongly control what can run on PCs you manage. This feature can
be useful for PCs in high-security departments, where it's vital that unwanted software cannot run.
When you deploy a policy, typically, the following executables can run:
Windows operating system components
Hardware Dev Center drivers (that have Windows Hardware Quality Labs signatures)
Windows Store apps
The Configuration Manager client
All software deployed through Configuration Manager that PCs install after the Windows Defender Application
Control policy is processed.
Updates to windows components from:
Windows Update
Windows Update for Business
Windows Server Update Services
Configuration Manager
Optionally, software with a good reputation as determined by the Microsoft Intelligent Security Graph
(ISG). The ISG includes Windows Defender SmartScreen and other Microsoft services. The device must be
running Windows Defender SmartScreen and Windows 10 version 1709 or later for this software to be
trusted.

IMPORTANT
These items do not include any software that is not built-into Windows that automatically updates from the internet or third-
party software updates whether they are installed via any of the update mechanisms mentioned previously, or from the
internet. Only software changes that are deployed though the Configuration Manager client can run.

Before you start

Before you configure or deploy Windows Defender Application Control policies, read the following information:
Windows Defender Application Control management is a pre-release feature for Configuration Manager, and is
subject to change.
To use Windows Defender Application Control with Configuration Manager, PCs you manage must be running
the Windows 10 Enterprise version 1703, or later.
Once a policy is successfully processed on a client PC, Configuration Manager is configured as a Managed
Installer on that client. Software deployed through it, after the policy processes, is automatically trusted.
Software installed by Configuration Manager before the Windows Defender Application Control policy
processes is not automatically trusted.
The default compliance evaluation schedule for Application Control policies, configurable during deployment, is
every one day. If issues in policy processing are observed, it may be beneficial to configure the compliance
evaluation schedule to be shorter, for example every hour. This schedule dictates how often clients reattempt to
process a Windows Defender Application Control policy if a failure occurs.
Regardless of the enforcement mode you select, when you deploy a Windows Defender Application Control
policy, client PCs cannot run HTML applications with the extension .hta.

How to create a Windows Defender Application Control policy

1. In the Configuration Manager console, click Assets and Compliance .
2. In the Assets and Compliance workspace, expand Endpoint Protection , and then click Windows Defender
Application Control .
3. On the Home tab, in the Create group, click Create Application Control policy .
4. On the General page of the Create Application Control policy Wizard , specify the following settings:
Name - Enter a unique name for this Windows Defender Application Control policy.
Description - Optionally, enter a description for the policy that helps you identify it in the Configuration
Manager console.
Enforce a restar t of devices so that this policy can be enforced for all processes - After the
policy is processed on a client PC, a restart is scheduled on the client according to the Client Settings
for Computer Restar t .
Devices running Windows 10 version 1703 or earlier will always be automatically restarted.
Starting with Windows 10 version 1709, applications currently running on the device will not have
the new Application Control policy applied to them until after a restart. However, applications
launched after the policy applies will honor the new Application Control policy.
Enforcement Mode - Choose one of the following enforcement methods for Windows Defender
Application Control on the client PC.
Enforcement Enabled - Only allow trusted executables are allowed to run.
Audit Only - Allow all executables to run, but log untrusted executables that run in the local client
event log.
5. On the Inclusions tab of the Create Application Control policy Wizard , choose if you want to Authorize
software that is trusted by the Intelligent Security Graph .
6. Click Add if you want to add trust for specific files or folders on PCs. In the Add Trusted File or Folder dialog
box, you can specify a local file or a folder path to trust. You can also specify a file or folder path on a remote
device on which you have permission to connect. When you add trust for specific files or folders in a Windows
Defender Application Control policy, you can:
Overcome issues with managed installer behaviors
Trust line-of-business apps that cannot be deployed with Configuration Manager
Trust apps that are included in an operating system deployment image.
7. Click Next , to complete the wizard.

IMPORTANT
The inclusion of trusted files or folders is only supported on client PCs running version 1706 or later of the Configuration
Manager client. If any inclusion rules are included in a Windows Defender Application Control policy and the policy is then
deployed to a client PC running an earlier version on the Configuration Manager client, the policy will fail to be applied.
Upgrading these older clients will resolve this issue. Policies that do not include any inclusion rules may still be applied on
older versions of the Configuration Manager client.

How to deploy a Windows Defender Application Control policy

1. In the Configuration Manager console, click Assets and Compliance .
2. In the Assets and Compliance workspace, expand Endpoint Protection , and then click Windows Defender
Application Control .
3. From the list of policies, select the one you want to deploy, and then, on the Home tab, in the Deployment
group, click Deploy Application Control Policy .
4. In the Deploy Application Control policy dialog box, select the collection to which you want to deploy the
policy. Then, configure a schedule for when clients evaluate the policy. Finally, select whether the client can
evaluate the policy outside of any configured maintenance windows.
5. When you are finished, click OK to deploy the policy.

How to monitor a Windows Defender Application Control policy

Use the information in the Monitor compliance settings article to help you monitor that the deployed policy has
been applied to all PCs correctly.
To monitor the processing of a Windows Defender Application Control policy, use the following log file on client
PCs:
%WINDIR%\CCM\Logs\DeviceGuardHandler.log
To verify the specific software being blocked or audited, see the following local client event logs:
1. For blocking and auditing of executable files, use Applications and Ser vices Logs > Microsoft > Windows
> Code Integrity > Operational .
2. For blocking and auditing of Windows Installer and script files, use Applications and Ser vices Logs >
Microsoft > Windows > AppLocker > MSI and Script .

Security and privacy information for Windows Defender Application

Control
In this pre-release version, do not deploy Windows Defender Application Control policies with the enforcement
mode Audit Only in a production environment. This mode is intended to help you test the capability in a lab
setting only.
Devices that have a policy deployed to them in Audit Only or Enforcement Enabled mode that have not been
restarted to enforce the policy, are vulnerable to untrusted software being installed. In this situation, the
software might continue to be allowed to run even if the device restarts, or receives a policy in Enforcement
Enabled mode.
To ensure that the Windows Defender Application Control policy is effective, prepare the device in a lab
environment. Then, deploy the Enforcement Enabled policy, and finally, restart the device before you give the
device to an end user.
Do not deploy a policy with Enforcement Enabled , and then later deploy a policy with Audit Only to the
same device. This configuration might result in untrusted software being allowed to run.
When you use Configuration Manager to enable Windows Defender Application Control on client PCs, the policy
does not prevent users with local administrator rights from circumventing the Application Control policies or
otherwise executing untrusted software.
The only way to prevent users with local administrator rights from disabling Application Control is to deploy a
signed binary policy. This deployment is possible through Group Policy but not currently supported in
Configuration Manager.
Setting up Configuration Manager as a Managed Installer on client PCs uses AppLocker policy. AppLocker is
only used to identify Managed Installers and all enforcement happens with Windows Defender Application
Control.

Next steps
Manage antimalware policies and firewall settings
 Manage antimalware policies and firewall settings
4/20/2020 • 4 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Use the information in this topic to help you manage Endpoint Protection antimalware policies and Windows
Firewall policies, to perform on-demand scans, to force computers to download the latest available definitions, and
to remediate detected malware.

Manage antimalware policies

In the Assets and Compliance workspace, expand Endpoint Protection , choose Antimalware Policies , select
the antimalware policy that you want to manage, and then select a management task.
This table provides more information.

TA SK DETA IL S

Increase Priority If multiple antimalware policies are deployed to the same

computer, they are applied in order. Use this option to
increase the priority by which the selected antimalware policy
is applied. Use the Order column to see the order in which
the policies are applied.

The antimalware policy that has the highest priority is always

applied first.

Decrease Priority If multiple antimalware policies are deployed to the same

computer, they are applied in order. Use this option to
decrease the priority by which the selected antimalware policy
is applied. Use the Order column to view the order in which
the policies are applied.

Merge Merges the two selected antimalware policies. In the Merge

Policies dialog box, enter a name for the new, merged policy.
The Base policy is the antimalware policy that is merged
with this new antimalware policy.

Note: If two settings conflict, the most secure setting is

applied to computers.

Deploy Opens the Select Collection dialog box. Select the collection
to which you want to deploy the antimalware policy, and then
choose OK .

Manage Windows Firewall policies

In the Assets and Compliance workspace, choose Endpoint Protection > Windows Firewall Policies , select
the Windows Firewall policy that you want to manage, and then select a management task.
This table provides more information.
 TA SK DETA IL S

Increase Priority If multiple Windows Firewall policies are deployed to the same
computer, they are applied in order. Use this option to
increase the priority by which the selected Windows Firewall
policy is applied. Use the Order column to view the order in
which the policies are applied.

Decrease Priority If multiple Windows Firewall policies are deployed to the same
computer, they are applied in order. Use this option to
decrease the priority by which the selected Windows Firewall
policy is applied. Use the Order column to view the order in
which the policies are applied.

Deploy Opens the Deploy Windows Firewall Policy dialog box

from where you can deploy the firewall policy to a collection.

How to perform an on-demand scan of computers

You can perform a scan of a single computer, multiple computers, or a collection of computers in the Configuration
Manager console. This scan occurs in addition to any scheduled scans.

NOTE
If any of the computers that you select do not have the Endpoint Protection client installed, the on-demand scan option is
unavailable.

To perform an on-demand scan of computers

1. In the Configuration Manager console, choose Assets and Compliance .
2. In the Devices or Device Collections node, select the computer or collection of computers that you want
to scan.
3. On the Home tab, in the Collection group, click Endpoint Protection , and then click Full Scan or Quick
Scan .
The scan will take place when the computer or collection of computers next downloads client policy. To
monitor the results from the scan, use the procedures in How to monitor Endpoint Protection.

How to force computers to download the latest definition files

You can force a single computer, multiple computers, or a collection of computers to download the latest definition
files from the Configuration Manager console.

NOTE
If any of the computers that you select do not have the Endpoint Protection client installed, the Download Definition
option is unavailable.

To force computers to download the latest definition files

1. In the Devices or Device Collections node, select the computer or collection of computers for which you
want to download definitions.
2. On the Home tab, in the Collection group, choose Endpoint Protection , and then click Download
Definition . The download will take place when the computer or collection of computers next downloads
 client policy.

NOTE
Use the Endpoint Protection Status node under Security in the Monitoring workspace to discover clients that
have out-of-date definitions.

Remediate detected malware

When malware is detected on client computers, this will be displayed in the Malware Detected node under
Endpoint Protection Status under Security in the Monitoring workspace of the Configuration Manager
console. Select an item from the Malware Detected list, and then use one of the following management tasks to
remediate or allow the detected malware:
Allow this threat - Creates an antimalware policy to allow the selected malware. The policy is deployed to
the All Systems collection and can be monitored in the Client Operations node of the Monitoring
workspace.
Restore files quarantined by this threat - Opens the Restore quarantined files dialog box where
you can select one of the following options:
Run the allow-threat or exclusion operation first to assure that files are not put back
into quarantine - Restores the files that were quarantined because of the detected malware and
also excludes the files from malware scans. If you do not exclude the files from malware scans, they
will be quarantined again when the next scan runs.
Restore files without a dependency on the allow or exclusion job - Restores the quarantined
files but does not add them to the exclusion list.
View infected clients - Displays a list of all clients that were infected by the selected malware.
Exclude selected files or paths from scan - When you select this option from the malware details pane,
the Exclude files and paths dialog box opens where you can specify the files and folders that you want to
exclude from malware scans.
 Example scenario: Use Endpoint Protection to protect
computers from malware
4/20/2020 • 7 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

This article provides an example scenario for how you can implement Endpoint Protection in Configuration
Manager to protect computers in your organization from malware attacks.

Scenario overview
Configuration Manager is installed and used at Woodgrove Bank. The bank currently uses System Center Endpoint
Protection to protect computers against malware attacks. Additionally, the bank uses Windows Group Policy to
ensure that the Windows Firewall is enabled on all computers in the company and that users are notified when
Windows Firewall blocks a new program.
The Configuration Manager administrators have been asked to upgrade the Woodgrove Bank antimalware
software to System Center Endpoint Protection so that the bank can benefit from the latest antimalware features
and be able to centrally manage the antimalware solution from the Configuration Manager console.

Business requirements
This implementation has the following requirements:
Use Configuration Manager to manage the Windows Firewall settings that are currently managed by Group
Policy.
Use Configuration Manager software updates to download malware definitions to computers. If software
updates aren't available, for example if the computer isn't connected to the corporate network, computers
must download definition updates from Microsoft Update.
Users' computers must perform a quick malware scan every day. Servers, however, must run a full scan
every Saturday, outside business hours, at 1 A.M.
Send an email alert whenever any one of the following events occurs:
Malware is detected on any computer
The same malware threat is detected on more than 5 percent of computers
The same malware threat is detected more than 5 times in any 24-hour period
More than 3 different types of malware are detected in any 24-hour period
The admins then do the following steps to implement Endpoint Protection:

Steps to implement Endpoint Protection

P RO C ESS REF EREN C E

The admins review the available information about the basic For overview information about Endpoint Protection, see
concepts for Endpoint Protection in Configuration Manager. Endpoint Protection.
P RO C ESS REF EREN C E

The admins review and implement the required prerequisites For information about the prerequisites for Endpoint
to use Endpoint Protection. Protection, see Planning for Endpoint Protection.

The admins install the Endpoint Protection site system role on For more information about how to install the Endpoint
one site system server only, at the top of the Woodgrove Protection site system role, see "Prerequisites" in Configure
Bank hierarchy. Endpoint Protection.

The admins configure Configuration Manager to use an SMTP For more information, see Configure alerts in Endpoint
server to send the email alerts. Protection.

Note: You must configure an SMTP server only if you want to

be notified by email when an Endpoint Protection alert is
generated.

The admins create a device collection that contains all For more information about how to create collections, see
computers and servers to install the Endpoint Protection How to create collections
client. They name this collection All Computers Protected
by Endpoint Protection .

Tip: You can't configure alerts for user collections.

The admins configure the following alerts for the collection: See "Configure Alerts for Endpoint Protection" in Configuring
Endpoint Protection.
1) Malware is detected : The admins configure an alert
severity of Critical.

2) The same type of malware is detected on a number

of computers : The admins configure an alert severity of
Critical and specify that the alert will be generated when
more than 5 percent of computers have malware detected.

3) The same type of malware is repeatedly detected

within the specified inter val on a computer : The admins
configure an alert severity of Critical and specify that the alert
will be generated when malware is detected more than 5
times in a 24-hour period.

4) Multiple types of malware are detected on the

same computer within the specified inter val: The
admins configure an alert severity of Critical and specify that
the alert will be generated when more than 3 types of
malware are generated in a 24-hour period.

The value for Aler t Severity indicates the alert level that will
be displayed in the Configuration Manager console and in
alerts that they receive in an email message.

They additionally select the option View this collection in

the Endpoint Protection dashboard so that they can
monitor the alerts in the Configuration Manager console.

The admins configure Configuration Manager software For more information, see the "Using Configuration Manager
updates to download and deploy definition updates three Software Updates to Deliver Definition Updates" section in
times a day by using an automatic deployment rule. Use Configuration Manager software updates to deliver
definition updates.
P RO C ESS REF EREN C E

The admins examine the settings in the default antimalware See How to create and deploy antimalware policies for
policy, which contains recommended security settings from Endpoint Protection.
Microsoft. For computers to perform a quick scan every day
to, they change the following settings:

1) Run a daily quick scan on client computers : Yes .

2) Daily quick scan schedule time : 9:00 AM .

The admins note that Updates distributed from

Microsoft Update is selected by default as a definition
update source. This fulfills the business requirement that
computers download definitions from Microsoft Update when
they can't receive Configuration Manager software updates.

The admins create a collection that contains only the See How to create collections
Woodgrove Bank servers named Woodgrove Bank
Ser vers .

The admins create a custom antimalware policy named See How to create and deploy antimalware policies for
Woodgrove Bank Ser ver Policy . They add only the Endpoint Protection.
settings for Scheduled scans and make the following
changes:

Scan type : Full

Scan day : Saturday

Scan time : 1:00 AM

Run a daily quick scan on client computers : No .

The admins deploy the Woodgrove Bank Ser ver Policy See "To deploy an antimalware policy to client computers"
custom antimalware policy to the Woodgrove Bank How to create and deploy antimalware policies for Endpoint
Ser vers collection. Protection article.

The admins create a new set of custom client device settings For more information, see Configure Custom Client Settings
for Endpoint Protection and names these Woodgrove Bank for Endpoint Protection.
Endpoint Protection Settings .

Note: If you don't want to install and enable Endpoint

Protection on all clients in your hierarchy, make sure that the
options Manage Endpoint Protection client on client
computers and Install Endpoint Protection client on
client computers are both configured as No in the default
client settings.
 P RO C ESS REF EREN C E

They configure the following settings for Endpoint Protection: For more information, see Configure Custom Client Settings
for Endpoint Protection.
Manage Endpoint Protection client on client
computers : Yes

This setting and value ensures that any existing Endpoint

Protection client that is installed becomes managed by
Configuration Manager.

Install Endpoint Protection client on client computers :

Yes .

Note Starting in Configuration Manager 1802, Windows 10

devices don't need to have the Endpoint Protection agent
installed. If it's already installed on Windows 10 devices,
Configuration Manager won't remove it. Administrators can
remove the Endpoint Protection agent on Windows 10
devices that are running at least the 1802 client version.

The admins deploy the Woodgrove Bank Endpoint See "Configure Custom Client Settings for Endpoint
Protection Settings client settings to the All Computers Protection" in Configuring Endpoint Protection in
Protected by Endpoint Protection collection. Configuration Manager.

The admins use the Create Windows Firewall Policy Wizard to See How to create and deploy Windows Firewall policies for
create a policy by configuring the following settings for the Endpoint Protection
domain profile:

1) Enable Windows Firewall: Yes

2)
Notify the user when Windows Firewall blocks a new
program : Yes

The admins deploy the new firewall policy to the collection All See "To deploy a Windows Firewall policy" in the How to create
Computers Protected by Endpoint Protection that they and deploy Windows Firewall policies for Endpoint Protection
created earlier.

The admins use the available management tasks for Endpoint See How to manage antimalware policies and firewall settings
Protection to manage antimalware and Windows Firewall for Endpoint Protection
policies, perform on-demand scans of computers when
necessary, force computers to download the latest definitions,
and to specify any further actions to take when malware is
detected.

The admins use the following methods to monitor the status See How to monitor Endpoint Protection
of Endpoint Protection and the actions that are taken by
Endpoint Protection:

1) By using the Endpoint Protection Status node under

Security in the Monitoring workspace.

2) By using the Endpoint Protection node in the Assets

and Compliance workspace.

3) By using the built-in Configuration Manager reports.

The admins report a successful implementation of Endpoint Protection to their manager, and confirms that the
computers at Woodgrove Bank are now protected from antimalware, according to the business requirements that
they were given.
Next steps
For more information, see How to Configure Endpoint Protection
 Endpoint Protection Client Help
4/20/2020 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

This version of Windows Defender or Endpoint Protection includes the following features to help protect your
computer from threats:
Windows Firewall integration. Endpoint Protection setup enables you to turn on or off Windows Firewall.
Network Inspection System. This feature enhances real-time protection by inspecting network traffic to help
proactively block exploitation of known network-based vulnerabilities.
Protection engine. Real-time protection finds and stops malware from installing or running on your PC. The
updated engine offers enhanced detection and cleanup capabilities with better performance.
Windows Defender comes as part of the Windows 10 operating system. On earlier versions of Windows, your
administrator can provide either Windows Defender or Endpoint Protection using management software.
You can also find a list of frequently asked questions for Windows Defender and Endpoint Protection. For help
troubleshooting, see Troubleshooting Windows Defender or Endpoint Protection client. For a list of new features,
see What's new Windows Defender client.

Windows Firewall integration

Windows Firewall can help prevent attackers or malicious software from gaining access to your computer through
the Internet or a network. Now when you install Endpoint Protection, the installation wizard verifies that Windows
Firewall is turned on. If you have intentionally turned off Windows Firewall, you can avoid turning it on by clearing
a check box. You can change your Windows Firewall settings at any time via the System and Security settings in
Control Panel.

Network Inspection System

Attackers are increasingly carrying out network-based attacks against exposed vulnerabilities before software
vendors can develop and distribute security updates. Studies of vulnerabilities show that it can take a month or
longer from the time of an initial attack report before a suitable security update is developed, tested, and released.
This gap in protection leaves many computers vulnerable to attacks and exploitation for a substantial period of
time. Network Inspection System works with real-time protection to better protect you against network-based
attacks by greatly reducing the timespan between vulnerability disclosures and update deployment from weeks to
a few hours.

Award-winning protection engine

Under the hood of Windows Defender or Endpoint Protection is its award-winning protection engine that is
updated regularly. The engine is backed by a team of antimalware researchers from the Microsoft Malware
Protection Center, providing responses to the latest malware threats 24 hours a day.

Windows Defender settings

Windows Defender settings enable settings that help protect your PC from malicious software. Your administrator
might manage some Windows Defender settings for you. You can manage others using the Windows Defender
settings. We recommend you enable Windows Defender settings to help protect your PC and data.
To view Windows Defender settings, search for Windows Defender on your PC. Open Windows Defender and
select Settings . Windows Defender settings include:
Real-time protection - Find and stop malware from installing or running on your PC.
Cloud-based Protection - Windows Defender sends info to Microsoft about potential security threats.
Automatic sample submission - Allow Windows Defender to send samples of suspicious files to Microsoft to
help improve malware detection.
Exclusions - You can exlude specific files, folders, file extensions, or processes from Windows Defender
scanning.
Enhanced notification - Enables notifications that inform about the health of your PC. Even Off you will
receive critical notifications.
Windows Defender Offline - You can run Windows Defender Offline to help find and remove malicious
software. This scan will restart your PC and will take about 15 minutes.
See also
Endpoint Protection client frequently asked questions
Troubleshooting Windows Defender or Endpoint Protection client
 Troubleshoot Windows Defender or Endpoint
Protection client
4/20/2020 • 4 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

If you come across problems with Windows Defender or Endpoint Protection, use this article to troubleshoot the
following problems:
Update Windows Defender or Endpoint Protection
Starting Windows Defender or Endpoint Protection service
Internet connection issues
Detected threat can't be remediated

Update Windows Defender or Endpoint Protection

Symptoms
Windows Defender or Endpoint Protection works automatically with Microsoft Update to make sure that your
virus and spyware definitions are kept up-to-date.
This section addresses common issues with automatic updates, including the following situations:
You see error messages indicating that updates have failed.
When you check for updates, you receive an error message that the virus and spyware definition updates
can't be checked, downloaded, or installed.
Even though your device is connected to the internet, the updates fail.
Updates aren't automatically installing as scheduled.
Causes
The most common causes for update issues are problems with internet connectivity. If you know your device is
connected to the internet because you can browse to other Web sites, the issue might be caused by conflicts with
your internet settings in Windows.
Options to resolve
Step 1: Reset your internet settings
1. Exit all open programs, including the web browser.

NOTE
When you reset these internet settings, it may delete your browser temporary files, cookies, browsing history, and
online passwords. It doesn't delete your favorites.

2. Go to the Star t menu, and open inetcpl.cpl .

3. Switch to the Advanced tab.
4. In the section to Reset Internet Explorer settings , select Reset , and then select Reset again to confirm.
5. Select OK when the settings are reset.
6. Try to update Windows Defender again.
If the issue persists, continue to the next step.
Step 2: Make sure that the date and time are set correctly on your computer
If the error message contains the code 0x80072f8f, the problem is most likely caused by an incorrect date or time
setting on your computer. Go to the Star t menu, select Settings , select Time & language , and select Date &
time .
Step 3: Rename the Software Distribution folder on your computer
1. Stop the Windows Update service.
a. Go to Star t , and open ser vices.msc .
b. Select the Windows Update service. Go to the Action menu, and select Stop .
2. Rename the SoftwareDistribution directory.
a. Open a command prompt as an administrator.
b. Enter the following commands:

cd %windir%
ren SoftwareDistribution SDTemp
exit

3. Restart the Windows Update service.

a. Switch back to the Ser vices window.
b. Select the Windows Update service. Go to the Action menu, and select Star t .
c. Close the Services window.
Step 4: Reset the Microsoft antivirus update engine on your computer
1. Open a command prompt as an administrator.
2. Enter the following commands:

cd \

cd program files\windows defender

MpCmdRun -RemoveDefinitions -all

exit

3. Restart the computer.

4. Try to update Windows Defender again.
If the issue persists, continue to the next step.
Step 5: Manually install the definition updates
Manually download the latest updates.
Step 6: Contact Microsoft support
If these steps didn't resolve the issue, contact Microsoft support. For more information, see Support options and
community resources.
Starting Windows Defender or Endpoint Protection service
Symptom
You receive a message notifying you that Windows Defender or Endpoint Protection isn't monitoring your
computer because the program's ser vice stopped. You should restar t it now.
Solution
Step 1: Restart your computer
Close all applications and restart your computer.
Step 2: Check the Windows service
1. Go to Star t , and open ser vices.msc .
2. Select the Windows Defender Antivirus Ser vice .
3. Make sure that the Star tup Type is set to Automatic .
4. Go to the Action menu and select Star t .
a. If this action isn't available, select Stop . Wait for the service to stop, and then select the Star t action to
restart the service.
Note any errors that may appear during this process. Contact Microsoft Support and provide the error
information.
Step 3: Remove any third-party security programs

NOTE
Some security applications don't uninstall completely. You may need to download and run a cleanup utility for your previous
security application to completely remove it.

1. Go to Star t and open appwiz.cpl .

2. In the list of installed programs, uninstall any third-party security programs.
3. Restart your computer.
Cau t i on

When you remove security programs, your computer may be unprotected. If you have problems installing
Windows Defender after you remove existing security programs, contact Microsoft Support. Select the Security
product family, and then the Windows Defender product.

Internet connection issues

For your computer to receive the latest updates from Windows Update, connect it to the internet.
1. Go to Star t and open ncpa.cpl .
2. Open the connection name to view the connection Status .
3. If your computer is connected, the IPv4 connectivity and/or IPv6 connectivity status is Internet .
4. If your computer doesn't appear to be connected, select the connection name, and select Diagnose this
connection .
Close any open programs and restart your computer.

Detected threat can't be remediated

When Windows Defender or Endpoint Protection detects a potential threat, it tries to mitigate the threat by
quarantining or removing the threat. These threats can hide inside a compressed archive ( .zip ) or in a network
share.
Remove or scan the file
If the detected threat was in a compressed archive file, browse to the file. Delete the file, or manually scan it.
Right-click the file and select Scan with Windows Defender . If Windows Defender detects additional
threats in the file, it notifies you. Then you can choose an appropriate action.
If the detected threat was in a network share, open the share, and manually scan it. Right-click the file and
select Scan with Windows Defender . If Windows Defender detects additional threats in the network
share, it notifies you. Then you can choose an appropriate action.
If you're not sure of the file's origin, run a full scan on your computer. A full scan may take some time to
complete.

See also
Endpoint Protection client frequently asked questions
Endpoint Protection client help
 Endpoint Protection client frequently asked questions
5/8/2020 • 16 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

This FAQ is for computer users whose IT administrator has deployed Windows Defender or Endpoint Protection to
their managed computer. The content here might not apply to other antimalware software. Microsoft System
Center Endpoint Protection manages Windows Defender on Windows 10. It can also deploy and manage the
Endpoint Protection client to computers before Windows 10. While Windows Defender is described in this article,
its information also applies to Endpoint Protection.
Why do I need antivirus and antispyware software?
How can I tell if my computer is infected with malicious software?
How can I find the version of Windows Defender?
What should I do if Windows Defender or Endpoint Protection detects malicious software on my computer?
What is a virus?
What is a spyware?
What's the difference between viruses, spyware, and other potentially harmful software?
Where do viruses, spyware, and other potentially unwanted software come from?
Can I get malicious software without knowing it?
Why is it important to review license agreements before installing software?
What's the difference between Endpoint Protection and Windows Defender?
Why doesn't Windows Defender detect cookies?
How can I prevent malware?
What are virus and spyware definitions?
How do I keep virus and spyware definitions up to date?
How do I remove or restore items quarantined by Windows Defender or Endpoint Protection?
What is real-time protection?
How do I know that Windows Defender or Endpoint Protection is running on my computer?
How to set up Windows Defender or Endpoint Protection alerts?

Why do I need antivirus and antispyware software?

It is critical to make sure that your computer is running software that protects against malicious software.
Malicious software, which includes viruses, spyware, or other potentially unwanted software can try to install itself
on your computer any time you connect to the Internet. It can also infect your computer when you install a
program using a CD, DVD, or other removable media. Malicious software, can also be programmed to run at
unexpected times, not just when it is installed.
Windows Defender or Endpoint Protection offers three ways to help keep malicious software from infecting your
computer:
Using real-time protection - Real-time protection enables Windows Defender to monitor your computer
all the time and alert you when malicious software, including viruses, spyware, or other potentially
unwanted software attempts to install itself or run on your computer. Windows Defender then suspends the
software and enables you to you to follow its recommendation on the software or take an alternative action.
Scanning options - You can use Windows Defender to scan for potential threats, such as viruses, spyware,
and other malicious software that might put your computer at risk. You can also use it to schedule scans on
 a regular basis and to remove malicious software that is detected during a scan.
Microsoft Active Protection Ser vice community - The online Microsoft Active Protection Service
community helps you see how other people respond to software that has not yet been classified for risks.
You can use this information to help you choose whether to allow this software on your computer. In turn, if
you participate, your choices are added to the community ratings to help other people decide what to do.

How can I tell if my computer is infected with malicious software?

You might have some form of malicious software, including viruses, spyware, or other potentially unwanted
software, on your computer if:
You notice new toolbars, links, or favorites that you did not intentionally add to your Web browser.
Your home page, mouse pointer, or search program changes unexpectedly.
You type the address for a specific site, such as a search engine, but you are taken to a different Web site
without notice.
Files are automatically deleted from your computer.
Your computer is used to attack other computers.
You see pop-up ads, even if you're not on the Internet.
Your computer suddenly starts running more slowly than it usually does. Not all computer performance
problems are caused by malicious software, but malicious software, especially spyware, can cause a
noticeable change.
There might be malicious software on your computer even if you don't see any symptoms. This type of software
can collect information about you and your computer without your knowledge or consent. To help protect your
privacy and your computer, you should run Windows Defender or Endpoint Protection at all times.

How can I find the version of Windows Defender?

To view the version of Windows Defender running on your computer, open Windows Defender (click Star t and
then search for Windows Defender ), click Settings , and scroll to the bottom of the Windows Defender settings
to find Version info .

What should I do if Windows Defender or Endpoint Protection detects

malicious software on my computer?
If Windows Defender detects malicious software or potentially unwanted software on your computer (either when
monitoring your computer using real-time protection or after running a scan), it notifies you about the detected
item by displaying a notification message in the bottom right-hand corner of your screen.
The notification message includes a Clean computer button and a Show details link that lets you view
additional information about the detected item. Click the Show details link to open the Potential threat details
window to get additional information about the detected item. You can now choose which action to apply to the
item, or click Clean computer . If you need help determining which action to apply to the detected item, use the
alert level that Windows Defender assigned to the item as your guide (for more information see, Understanding
alert levels).
Alert levels help you choose how to respond to viruses, spyware, and other potentially unwanted software. While
Windows Defender will recommend that you remove all viruses and spyware, not all software that is flagged is
malicious or unwanted. The following information can help you decide what to do if Windows Defender detects
potentially unwanted software on your computer.
Depending on the alert level, you can choose one of the following actions to apply to the detected item:
Remove - This action permanently deletes the software from your computer.
Quarantine - This action quarantines the software so that it can't run. When Windows Defender
quarantines software, it moves it to another location on your computer, and then prevents the software
from running until you choose to restore it or remove it from your computer.
Allow - This action adds the software to the Windows Defender allowed list and allows it to run on your
computer. Windows Defender will stop alerting you to risks that the software might pose to your privacy or
to your computer.
If you choose Allow for an item, such as software, Windows Defender will stop alerting you to risks that the
software might pose to your privacy or to your computer. Therefore, add software to the allowed list only if
you trust the software and the software publisher.
How to remove potentially harmful software
To remove all unwanted or potentially harmful items that Windows Defender detects quickly and easily, use the
Clean computer option.
1. When you see the notification message that displays in the Notification area after it detects potential
threats, click Clean computer .
2. Windows Defender removes the potential threat (or threats), and then notifies you when it's finished
cleaning your computer.
3. To learn more about the detected threats, click the Histor y tab, and then select All detected items .
4. If you don't see all the detected items, click View details . If you're prompted for an administrator password
or confirmation, type the password or confirm the action.

NOTE
During computer cleanup, whenever possible, Windows Defender removes only the infected part of a file, not the entire file.

What is a virus?
Computer viruses are software programs deliberately designed to interfere with computer operation, to record,
corrupt, or delete data, or to infect other computers throughout the Internet. Viruses often slow things down and
cause other problems in the process.

What is spyware?
Spyware is software that can install itself or run on your computer without getting your consent or providing you
with adequate notice or control. Spyware might not display symptoms after it infects your computer, but many
malicious or unwanted programs can affect how your computer runs. For example, spyware can monitor your
online behavior or collect information about you (including information that can identify you or other sensitive
information), change settings on your computer, or cause your computer to run slowly.

What's the difference between viruses, spyware, and other potentially

harmful software?
Both viruses and spyware are installed on your computer without your knowledge and both have the potential to
be intrusive and destructive. They also have the ability to capture information on your computer and damage or
delete that information. They both can negatively affect your computer's performance.
The main differences between viruses and spyware is how they behave on your computer. Viruses, like living
organisms, want to infect a computer, replicate, and then spread to as many other computers as possible. Spyware,
however, is more like a mole - it wants to "move into" your computer and stay there as long as possible, sending
valuable information about your computer to an outside source while it is there.

Where do viruses, spyware, and other potentially unwanted software

come from?
Unwanted software, such as viruses, can be installed by Web sites or by programs that you download or that you
install using a CD, DVD, external hard disk, or a device. Spyware is most commonly installed through free software,
such as file sharing, screen savers, or search toolbars.

Can I get malicious software without knowing it?

Yes, some malicious software can be installed from a website through an embedded script or program in a
webpage. Some malicious software requires your help to install it. This software uses Web pop-ups or free
software that requires you to accept a downloadable file. However, if you keep Microsoft Windows® up to date
and don't reduce your security settings, you can minimize the chances of an infection.

Why is it important to review license agreements before installing

software?
When you visit websites, do not automatically agree to download anything the site offers. If you download free
software, such as file sharing programs or screen savers, read the license agreement carefully. Look for clauses
that say that you must accept advertising and pop-ups from the company, or that the software will send certain
information back to the software publisher.

What's the difference between Endpoint Protection and Windows

Defender?
Endpoint Protection is antimalware software, which means that it's designed to detect and help protect your
computer against a wide range of malicious software, including viruses, spyware, and other potentially unwanted
software. Windows Defender, which is automatically installed with your Windows operating system, is software
that detects and stops spyware.

Why doesn't Windows Defender detect cookies?

Cookies are small text files that websites put on your computer to store information about you and your
preferences. Websites use cookies to offer you a personalized experience and to gather information about website
use. Windows Defender doesn't detect cookies because it doesn't consider them a threat to your privacy or to the
security of your computer. Most internet browser programs allow you to block cookies.

How can I prevent malware?

Two of the biggest concerns for computer users today are viruses and spyware. In both cases, while these can be a
problem, you can defend yourself against them easily enough with just a little bit of planning:
Keep your computer's software current and remember to install all patches. Remember to update your
operating system on a regular basis.
Make sure your antivirus and antispyware software, Windows Defender, is using the latest updates again
potential threats (see How do I keep virus and spyware definitions up to date?). Also make sure you're
always using the latest version of Windows Defender.
 Only download updates from reputable sources. For Windows operating systems, always go to the
Microsoft Update catalog. For other software, always use the legitimate websites of the company or person
who produces it.
If you receive an e-mail with an attachment and you're unsure of the source, then you should delete it
immediately. Don't download any applications or files from unknown sources, and be careful when trading
files with other users.
Install and use a firewall. It is recommended that you enable Windows Firewall.

What are virus and spyware definitions?

When you use Windows Defender or Endpoint Protection, it is important to have up-to-date virus and spyware
definitions. Definitions are files that act like an ever-growing encyclopedia of potential software threats. Windows
Defender or Endpoint Protection uses definitions to determine if software that it detects is a virus, spyware, or
other potentially unwanted software, and then to alert you to potential risks. To help keep your definitions up to
date, Windows Defender or Endpoint Protection works with Microsoft Update to install new definitions
automatically as they are released. You can also set Windows Defender or Endpoint Protection to check online for
updated definitions before scanning.

How do I keep virus and spyware definitions up to date?

Virus and spyware definitions are files that act like an encyclopedia of known malicious software, including viruses,
spyware, and other potentially unwanted software. Because malicious software is continually being developed,
Windows Defender or Endpoint Protection relies on up-to-date definitions to determine if software that is trying to
install, run, or change settings on your computer is a virus, spyware, or other potentially unwanted software.
To automatically check for new definitions before scheduled scans (recommended)
1. Open Windows Defender or Endpoint Protection client by clicking the icon in the notification area or
launching it from the Star t menu.
2. Click Settings , and then click Scheduled scan .
3. Make sure the Check for the latest virus and spyware definitions before running a scheduled
scan check box is selected, and then click Save changes . If you're prompted for an administrator password
or confirmation, type the password or confirm the action.
To check for new definitions manually
Windows Defender or Endpoint Protection updates the virus and spyware definitions on your computer
automatically. If the definitions haven't been updated for over seven days (for example, if you didn't turn on your
computer for a week), Windows Defender or Endpoint Protection will notify you that the definitions are out of
date.
1. Open Windows Defender or Endpoint Protection client by clicking the icon in the notification area or
launching it from the Star t menu.
2. To check for new definitions manually, click the Update tab and then click Update definitions .

How do I remove or restore items quarantined by Windows Defender

or Endpoint Protection?
When Windows Defender or Endpoint Protection quarantines software, it moves the software to another location
on your computer, and then it prevents the software from running until you choose to restore it or to remove it
from your computer.
For all the steps mentioned in this procedure, if you're prompted for an administrator password or confirmation,
type the password or provide confirmation.
To remove or restore items quarantined by Windows Defender or Endpoint Protection
1. Click the Histor y tab, select Quarantined items , and then select the Quarantined items option.
2. Click View details to see all of the items.
3. Review each item, and then for each, click Remove or Restore . If you want to remove of the all quarantined
items from your computer, click Remove All .

What is real-time protection?

Real-time protection enables Windows Defender to monitor your computer all the time and alert you when
potential threats, such as viruses and spyware, are trying to install themselves or run on your computer. Because
this feature is an important element of the way that Windows Defender helps protect your computer, you should
make sure real-time protection is always turned on. If real-time protection gets turned off, Windows Defender
notifies you, and changes your computer's status to at risk .
Whenever real-time protection detects a threat or potential threat, Windows Defender displays a notification. You
can now choose from the following options:
Click Clean computer to remove the detected item. Windows Defender will automatically remove the item
from your computer.
Click the Show details link to display the Potential threat details window, and then choose which action to
apply to the detected item.
You can choose the software and settings that you want Windows Defender to monitor, but we recommend
that you turn on real-time protection and enable all real-time protection options. The following table
explains the available options.

Real-time protection option Purpose

Scan all downloads This option monitors files and programs that are downloaded,
including files that are automatically downloaded via Windows
Internet Explorer and Microsoft Outlook® Express, such as
ActiveX® controls and software installation programs. These
files can be downloaded, installed, or run by the browser itself.
Malicious software, including viruses, spyware, and other
potentially unwanted software, can be included with these
files and installed without your knowledge.

Using the real-time protection option, Windows Defender

monitors your computer all the time and checks for any
malicious files or programs that you may have downloaded.
This monitoring feature means that Windows Defender
doesn't need to slow down your browsing or e-mail
experience by requiring a check of any files or programs you
may want to download.
 Monitor file and program activity on your computer This option monitors when files and programs start running
on your computer, and then it alerts you about any actions
they perform and actions taken on them. This is important,
because malicious software can use vulnerabilities in programs
that you have installed to run malicious or unwanted software
without your knowledge. For example, spyware can run itself
in the background when you start a program that you
frequently use. Windows Defender monitors your programs
and alerts you if it detects suspicious activity.

Enable behavior monitoring This option monitors collections of behavior for suspicious
patterns that might not be detected by traditional antivirus
detection methods.

Enable Network Inspection System This option helps protect your computer against zero day
exploits of known vulnerabilities, decreasing the window of
time between the moment a vulnerability is discovered and an
update is applied.

To turn off real-time protection

1. Click Settings , and then click Real-time protection.
2. Clear the real-time protection options you want to turn off, and then click Save changes . If you're
prompted for an administrator password or confirmation, type the password or confirm the action.

How do I know that Windows Defender or Endpoint Protection is

running on my computer?
After you install Windows Defender on your computer, you can close the main window and let Windows Defender
run quietly in the background. Windows Defender will continue running on your computer, monitor it, and help
protect it against threats.
Of course, you'll know that Windows Defender is running whenever it displays notification messages in the
notification area. These notifications alert you to potential threats that Windows Defender has detected.
You'll also receive other alert notifications, for example, if for some reason real-time protection has been turned
off, if you haven't updated your virus and spyware definitions for a number of days, or when upgrades to the
program become available. Windows Defender also briefly displays a notification to let you know that it's scanning
your computer.

TIP
If you don't see the Windows Defender icon in the notification area, click the arrow in the notification area to show hidden
icons, including the Windows Defender icon.

The icon color depends on your computer's current status:

Green indicates that your computer's status is "protected."
Yellow indicates that your computer's status is "potentially unprotected."
Red indicates that your computer's status is "at risk."

How to set up Windows Defender or Endpoint Protection alerts?

When Windows Defender is running on your computer, it automatically alerts you if it detects viruses, spyware, or
other potentially unwanted software. You can also set Windows Defender to alert you if you run software that has
not yet been analyzed, and you can choose to be alerted when software makes changes to your computer.
To set up alerts
1. Click Settings , and then click Real-time protection.
2. Make sure the Turn on real-time protection (recommended) check box is selected.
3. Select the check boxes next to the real-time protections options you want to run, and then click Save
changes . If you're prompted for an administrator password or confirmation, type the password or confirm
the action.
See also
Troubleshooting Windows Defender or Endpoint Protection client
Endpoint Protection Client Help
 Encrypt recovery data
4/20/2020 • 6 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

When you create a BitLocker management policy, Configuration Manager deploys the recovery service to a
management point. On the Client Management page of the BitLocker management policy, when you Configure
BitLocker Management Ser vices , the client backs up key recovery information to the site database. This
information includes BitLocker recovery keys, recovery packages, and TPM password hashes. When users are
locked out of their protected device, you can use this information to help them recover access to the device.
Given the sensitive nature of this information, you need to protect it in the following circumstances:
Configuration Manager requires an HTTPS connection between the client and the recovery service to
encrypt the data in transit across the network. There are two options:
HTTPS-enable the IIS website on the management point that hosts the recovery service, not the
entire management point role. This option only applies to Configuration Manager version 2002.
Configure the management point for HTTPS. On the properties of the management point, the Client
connections setting must be HTTPS . This option applies to Configuration Manager versions 1910
or 2002.

NOTE
It currently doesn't support Enhanced HTTP.

Consider also encrypting this data when stored in the site database. You can use SQL Server cell-level
encryption with your own certificate.
If you don't want to create a BitLocker management encryption certificate, opt-in to plain-text storage of the
recovery data. When you create a BitLocker management policy, enable the option to Allow recover y
information to be stored in plain text .

NOTE
Another layer of security is to encrypt the entire site database. If you enable encryption on the database, there
aren't any functional issues in Configuration Manager.
Encrypt with caution, especially in large-scale environments. Depending upon the tables you encrypt and the version
of SQL, you may notice up to a 25% performance degradation. Update your backup and recovery plans, so that you
can successfully recover the encrypted data.

Certificate requirements
HTTPS server authentication certificate
In Configuration Manager current branch version 1910, to integrate the BitLocker recovery service you had to
HTTPS-enable a management point. The HTTPS connection is necessary to encrypt the recovery keys across the
network from the Configuration Manager client to the management point. Configuring the management point and
all clients for HTTPS can be challenging for many customers.
Starting in version 2002, the HTTPS requirement is for the IIS website that hosts the recovery service, not the
entire management point role. This change relaxes the certificate requirements, and still encrypts the recovery
keys in transit.
Now the Client connections property of the management point can be HTTP or HTTPS . If the management
point is configured for HTTP , to support the BitLocker recovery service:
1. Acquire a server authentication certificate. Bind the certificate to the IIS website on the management point
that hosts the BitLocker recovery service.
2. Configure clients to trust the server authentication certificate. There are two methods to accomplish this
trust:
Use a certificate from a public and globally trusted certificate provider. For example, but not limited
to, DigiCert, Thawte, or VeriSign. Windows clients include trusted root certificate authorities (CAs)
from these providers. By using a server authentication certificate that's issued by one of these
providers, your clients should automatically trust it.
Use a certificate issued by a CA from your organization's public key infrastructure (PKI). Most PKI
implementations add the trusted root CAs to Windows clients. For example, using Active Directory
Certificate Services with group policy. If you issue the server authentication certificate from a CA that
your clients don't automatically trust, add the CA trusted root certificate to clients.

TIP
The only clients that need to communicate with the recovery service are those clients that you plan to target with a
BitLocker management policy and includes a Client Management rule.

On the client, use the BitLockerManagementHandler.log to troubleshoot this connection. For connectivity to
the recovery service, the log shows the URL that the client is using. Locate an entry that starts with
Checking for Recovery Service at .

NOTE
If your site has more than one management point, enable HTTPS on all management points at the site with which a
BitLocker-managed client could potentially communicate. If the HTTPS management point is unavailable, the client could fail
over to an HTTP management point, and then fail to escrow its recovery key.
This recommendation applies to both options: enable the management point for HTTPS, or enable the IIS website that hosts
the recovery service on the management point.

SQL encryption certificate

Use this certificate to enable SQL Server cell-level encryption of BitLocker recovery data. You can use your own
process to create and deploy the BitLocker management encryption certificate, as long as it meets the following
requirements:
The name of the BitLocker management encryption certificate must be BitLockerManagement_CERT .
Encrypt this certificate with a database master key.
The following SQL users need Control permissions on the certificate:
RecoveryAndHardwareCore
RecoveryAndHardwareRead
RecoveryAndHardwareWrite
Deploy the same certificate at every site database in your hierarchy.
 Create the certificate with the latest version of SQL Server in your environment. For example:
Certificates created with SQL Server 2016 or later are compatible with SQL Server 2014 or earlier.
Certificates created with SQL Server 2014 or earlier aren't compatible with SQL Server 2016 or later.

Example scripts
These SQL scripts are examples to create and deploy a BitLocker management encryption certificate in the
Configuration Manager site database.
Create certificate
This sample script does the following actions:
Creates a certificate
Sets the permissions
Creates a database master key
Before you use this script in a production environment, change the following values:
Site database name ( CM_ABC )
Password to create the master key ( MyMasterKeyPassword )
Certificate expiry date ( 20391022 )

USE CM_ABC
IF NOT EXISTS (SELECT name FROM sys.symmetric_keys WHERE name = '##MS_DatabaseMasterKey##')
BEGIN
CREATE MASTER KEY ENCRYPTION BY PASSWORD = 'MyMasterKeyPassword'
END

IF NOT EXISTS (SELECT name from sys.certificates WHERE name = 'BitLockerManagement_CERT')

BEGIN
CREATE CERTIFICATE BitLockerManagement_CERT AUTHORIZATION RecoveryAndHardwareCore
WITH SUBJECT = 'BitLocker Management',
EXPIRY_DATE = '20391022'

GRANT CONTROL ON CERTIFICATE ::BitLockerManagement_CERT TO RecoveryAndHardwareRead

GRANT CONTROL ON CERTIFICATE ::BitLockerManagement_CERT TO RecoveryAndHardwareWrite
END

Back up certificate
This sample script backs up a certificate. When you save the certificate to a file, you can then restore it to other site
databases in the hierarchy.
Before you use this script in a production environment, change the following values:
Site database name ( CM_ABC )
File path and name ( C:\BitLockerManagement_CERT_KEY )
Export key password ( MyExportKeyPassword )

USE CM_ABC
BACKUP CERTIFICATE BitLockerManagement_CERT TO FILE = 'C:\BitLockerManagement_CERT'
WITH PRIVATE KEY ( FILE = 'C:\BitLockerManagement_CERT_KEY',
ENCRYPTION BY PASSWORD = 'MyExportKeyPassword')
 IMPORTANT
Store the exported certificate file and associated password in a secure location.

Restore certificate
This sample script restores a certificate from a file. Use this process to deploy a certificate that you created on
another site database.
Before you use this script in a production environment, change the following values:
Site database name ( CM_ABC )
Master key password ( MyMasterKeyPassword )
File path and name ( C:\BitLockerManagement_CERT_KEY )
Export key password ( MyExportKeyPassword )

USE CM_ABC
IF NOT EXISTS (SELECT name FROM sys.symmetric_keys WHERE name = '##MS_DatabaseMasterKey##')
BEGIN
CREATE MASTER KEY ENCRYPTION BY PASSWORD = 'MyMasterKeyPassword'
END

IF NOT EXISTS (SELECT name from sys.certificates WHERE name = 'BitLockerManagement_CERT')

BEGIN

CREATE CERTIFICATE BitLockerManagement_CERT AUTHORIZATION RecoveryAndHardwareCore

FROM FILE = 'C:\BitLockerManagement_CERT'
WITH PRIVATE KEY ( FILE = 'C:\BitLockerManagement_CERT_KEY',
DECRYPTION BY PASSWORD = 'MyExportKeyPassword')

GRANT CONTROL ON CERTIFICATE ::BitLockerManagement_CERT TO RecoveryAndHardwareRead

GRANT CONTROL ON CERTIFICATE ::BitLockerManagement_CERT TO RecoveryAndHardwareWrite
END

Verify certificate
Use this SQL script to verify that SQL successfully created the certificate with the required permissions.

USE CM_ABC
declare @count int
select @count = count(distinct u.name) from sys.database_principals u
join sys.database_permissions p on p.grantee_principal_id = u.principal_id or p.grantor_principal_id =
u.principal_id
join sys.certificates c on c.certificate_id = p.major_id
where u.name in('RecoveryAndHardwareCore', 'RecoveryAndHardwareRead', 'RecoveryAndHardwareWrite') and
c.name = 'BitLockerManagement_CERT' and p.permission_name like 'CONTROL'
if(@count >= 3) select 1
else select 0

If the certificate is valid, the script returns a value of 1 .

See also
For more information on these SQL commands, see the following articles:
SQL Server and database encryption keys
Create certificate
Backup certificate
Create master key
Backup master key
Grant certificate permissions
 Deploy BitLocker management
7/7/2020 • 8 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

BitLocker management in Configuration Manager includes the following components:
BitLocker management agent : Configuration Manager enables this agent on a device when you create a
policy and deploy it to a collection.
Recover y ser vice : The server component that receives BitLocker recovery data from clients. For more
information, see Recovery service.
Before you create and deploy BitLocker management policies:
Review the prerequisites
If necessary, encrypt recovery keys in the site database

Create a policy
When you create and deploy this policy, the Configuration Manager client enables the BitLocker management
agent on the device.

NOTE
To create a BitLocker management policy, you need the Full Administrator role in Configuration Manager.

1. In the Configuration Manager console, go to the Assets and Compliance workspace, expand Endpoint
Protection , and select the BitLocker Management node.
2. In the ribbon, select Create BitLocker Management Control Policy .
3. On the General page, specify a name and optional description. Select the components to enable on clients
with this policy:
Operating System Drive : Manage whether the OS drive is encrypted
Fixed Drive : Manage encryption for additional data drives in a device
Removable Drive : Manage encryption for drives that you can remove from a device, like a USB key
Client Management : Manage the key recovery service backup of BitLocker Drive Encryption
recovery information
4. On the Setup page, configure the following global settings for BitLocker Drive Encryption:

NOTE
Configuration Manager applies these settings when you enable BitLocker. If the drive is already encrypted or is in
progress, any change to these policy settings doesn't change the drive encryption on the device.
If you disable or don't configure these settings, BitLocker uses the default encryption method (AES 128-bit).

For Windows 8.1 devices, enable the option for Drive encr yption method and cipher strength .
 Then select the encryption method.
For Windows 10 devices, enable the option for Drive encr yption method and cipher strength
(Windows 10) . Then individually select the encryption method for OS drives, fixed data drives, and
removable data drives.
For more information on these and other settings on this page, see Settings reference - Setup.
5. On the Operating System Drive page, specify the following settings:
Operating System Drive Encr yption Settings : If you enable this setting, the user has to protect the
OS drive, and BitLocker encrypts the drive. If you disable it, the user can't protect the drive.
On devices with a compatible TPM, two types of authentication methods can be used at startup to provide
added protection for encrypted data. When the computer starts, it can use only the TPM for authentication,
or it can also require the entry of a personal identification number (PIN). Configure the following settings:
Select protector for operating system drive : Configure it to use a TPM and PIN, or just the TPM.
Configure minimum PIN length for star tup : If you require a PIN, this value is the shortest length
the user can specify. The user enters this PIN when the computer boots to unlock the drive. By default,
the minimum PIN length is 4 .
For more information on these and other settings on this page, see Settings reference - OS drive.
6. On the Fixed Drive page, specify the following settings:
Fixed data drive encr yption : If you enable this setting, BitLocker requires users to put all fixed data
drives under protection. It then encrypts the data drives. When you enable this policy, either enable
auto-unlock or the settings for Fixed data drive password policy .
Configure auto-unlock for fixed data drive : Allow or require BitLocker to automatically unlock
any encrypted data drive. To use auto-unlock, also require BitLocker to encrypt the OS drive.
For more information on these and other settings on this page, see Settings reference - Fixed drive.
7. On the Removable Drive page, specify the following settings:
Removable data drive encr yption : When you enable this setting, and allow users to apply
BitLocker protection, the Configuration Manager client saves recovery information about removable
drives to the recovery service on the management point. This behavior allows users to recover the
drive if they forget or lose the protector (password).
Allow users to apply BitLocker protection on removable data drives : Users can turn on
BitLocker protection for a removable drive.
Removable data drive password policy : Use these settings to set the constraints for passwords
to unlock BitLocker-protected removable drives.
For more information on these and other settings on this page, see Settings reference - Removable drive.
8. On the Client Management page, specify the following settings:

IMPORTANT
If you don't have a management point with an HTTPS-enabled website, don't configure this setting. For more
information, see Recovery service.

Configure BitLocker Management Ser vices : When you enable this setting, Configuration
Manager automatically and silently backs up key recovery information in the site database. If you
 disable or don't configure this setting, Configuration Manager doesn't save key recovery information.
Select BitLocker recover y information to store : Configure it to use a recovery password
and key package, or just a recovery password.
Allow recover y information to be stored in plain text : Without a BitLocker management
encryption certificate, Configuration Manager stores the key recovery information in plain text.
For more information, see Encrypt recovery data.
For more information on these and other settings on this page, see Settings reference - Client management.
9. Complete the wizard.
To change the settings of an existing policy, choose it in the list, and select Proper ties .
When you create more than one policy, you can configure their relative priority. If you deploy multiple policies to a
client, it uses the priority value to determine its settings.

Deploy a policy
1. Choose an existing policy in the BitLocker Management node. In the ribbon, select Deploy .
2. Select a device collection as the target of the deployment.
3. If you want the device to potentially encrypt or decrypt its drives at any time, select the option to Allow
remediation outside the maintenance window . If the collection has any maintenance windows, it still
remediates this BitLocker policy.
4. Configure a Simple or Custom schedule. The client evaluates its compliance based on the settings specified
in the schedule.
5. Select OK to deploy the policy.
You can create multiple deployments of the same policy. To view additional information about each deployment,
select the policy in the BitLocker Management node, and then in the details pane, switch to the Deployments
tab.

Monitor
View basic compliance statistics about the policy deployment in the details pane of the BitLocker Management
node:
Compliance count
Failure count
Non-compliance count
Switch to the Deployments tab to see compliance percentage and recommended action. Select the deployment,
then in the ribbon, select View Status . This action switches the view to the Monitoring workspace, Deployments
node. Similar to the deployment of other configuration policy deployments, you can see more detailed compliance
status in this view.
To understand why clients are reporting not compliant with the BitLocker management policy, see Non-compliance
codes.
For more troubleshooting information, see Troubleshoot BitLocker.
Use the following logs to monitor and troubleshoot:
Client logs
 MBAM event log: in the Windows Event Viewer, browse to Applications and Services > Microsoft > Windows
> MBAM. For more information, see About BitLocker event logs and Client event logs.
BitlockerMangementHandler.log in client logs path, %WINDIR%\CCM\Logs by default
Management point logs (recovery service )
Recovery service event log: in the Windows Event Viewer, browse to Applications and Services > Microsoft
> Windows > MBAM-Web. For more information, see About BitLocker event logs and Server event logs.
Recovery service trace logs:
<Default IIS Web Root>\Microsoft BitLocker Management Solution\Logs\Recovery And Hardware
Service\trace*.etl

Recovery service
The BitLocker recovery service is a server component that receives BitLocker recovery data from Configuration
Manager clients. The site deploys the recovery service when you create a BitLocker management policy.
Configuration Manager automatically installs the recovery service on each management point with an HTTPS-
enabled website.
Configuration Manager stores the recovery information in the site database. Without a BitLocker management
encryption certificate, Configuration Manager stores the key recovery information in plain text.
For more information, see Encrypt recovery data.

Migration considerations
If you currently use Microsoft BitLocker Administration and Monitoring (MBAM), you can seamlessly migrate
management to Configuration Manager. When you deploy BitLocker management policies in Configuration
Manager, clients automatically upload recovery keys and packages to the Configuration Manager recovery service.

IMPORTANT
When you migrate from stand-alone MBAM to Configuration Manager BitLocker management, if you require existing
functionality of stand-alone MBAM, don't reuse stand-alone MBAM servers or components with Configuration Manager
BitLocker management. If you reuse these servers, stand-alone MBAM will stop working when Configuration Manager
BitLocker management installs its components on those servers. Don't run the MBAMWebSiteInstaller.ps1 script to set up
the BitLocker portals on stand-alone MBAM servers. When you set up Configuration Manager BitLocker management, use
separate servers.

Group policy
The BitLocker management settings are fully compatible with MBAM group policy settings. If devices receive
both group policy settings and Configuration Manager policies, configure them to match.
Configuration Manager doesn't implement all MBAM group policy settings. If you configure additional
settings in group policy, the BitLocker management agent on Configuration Manager clients honors these
settings.
TPM password hash
Previous MBAM clients don't upload the TPM password hash to Configuration Manager. The client only
uploads the TPM password hash once.
If you need to migrate this information to the Configuration Manager recovery service, clear the TPM on the
device. After it restarts, it will upload the new TPM password hash to the recovery service.
Re -encryption
Configuration Manager doesn't re-encrypt drives that are already protected with BitLocker Drive Encryption. If you
deploy a BitLocker management policy that doesn't match the drive's current protection, it reports as non-
compliant. The drive is still protected.
For example, you used MBAM to encrypt the drive with the AES-XTS 128 encryption algorithm, but the
Configuration Manager policy requires AES-XTS 256. The drive is non-compliant with the policy, even though the
drive is encrypted.
To work around this behavior, first disable BitLocker on the device. Then deploy a new policy with the new settings.

Co-management and Intune

The Configuration Manager client handler for BitLocker is co-management aware. If the device is co-managed, and
you switch the Endpoint Protection workload to Intune, then the Configuration Manager client ignores its BitLocker
policy. The device gets Windows encryption policy from Intune.
When you switch encryption management authorities and the desired encryption algorithm also changes, you will
need to plan for re-encryption .
For more information about managing BitLocker with Intune, see the following articles:
Use device encryption with Intune
Troubleshoot BitLocker policies in Microsoft Intune

Next steps
Set up BitLocker reports and portals
 Set up BitLocker portals
7/7/2020 • 4 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

To use the following BitLocker management components in Configuration Manager, you first need to install them:
User self-service portal
Administration and monitoring website (helpdesk portal)
You can install the portals on an existing site server or site system server with IIS installed, or use a standalone
web server to host them.

NOTE
Only install the self-service portal and the administration and monitoring website with a primary site database. In a
hierarchy, install these websites for each primary site.

Before you start, confirm the prerequisites for these components.

Script usage
This process uses a PowerShell script, MBAMWebSiteInstaller.ps1, to install these components on the web server. It
accepts the following parameters:
-SqlServerName <ServerName> (required): The fully qualified domain name of the primary site database
server.
-SqlInstanceName <InstanceName> : The SQL Server instance name for the primary site database. If SQL uses
the default instance, don't include this parameter.
-SqlDatabaseName <DatabaseName> (required): The name of the primary site database, for example CM_ABC .
-ReportWebServiceUrl <ReportWebServiceUrl> : The web service URL of the primary site's reporting service
point. It's the Web Ser vice URL value in Repor ting Ser vices Configuration Manager .

NOTE
This parameter is to install the Recover y Audit Repor t that's linked from the administration and monitoring
website. By default Configuration Manager includes the other BitLocker management reports.

-HelpdeskUsersGroupName <DomainUserGroup>: For example, contoso\BitLocker help desk users . A domain

user group whose members have access to the Manage TPM and Drive Recover y areas of the
administration and monitoring website. When using these options, this role needs to fill in all fields,
including the user's domain and account name.
-HelpdeskAdminsGroupName <DomainUserGroup> : For example, contoso\BitLocker help desk admins . A domain
user group whose members have access to all recovery areas of the administration and monitoring
website. When helping users recover their drives, this role only has to enter the recovery key.
: For example, contoso\BitLocker report users . A domain user
-MbamReportUsersGroupName <DomainUserGroup>
group whose members have read-only access to the Repor ts area of the administration and monitoring
 website.

NOTE
The installer script doesn't create the domain user groups that you specify in the -HelpdeskUsersGroupName , -
HelpdeskAdminsGroupName , and -MbamRepor tUsersGroupName parameters. Before you run the script,
make sure to create these groups.
When you specify the -HelpdeskUsersGroupName , -HelpdeskAdminsGroupName , and -
MbamRepor tUsersGroupName parameters, make sure to specify both the domain name and the group name.
Use the format "domain\user_group" . Don't exclude the domain name. If the domain name or group name
contains spaces or special characters, enclose the parameter in quotation marks ( " ).

-SiteInstall Both : Specify which of the components to install. Valid options include:
Both : Install both components
HelpDesk : Install only the administration and monitoring website
SSP : Install only the self-service portal
-IISWebSite : The website where the script installs the MBAM web applications. By default, it uses the IIS
default website. Create the custom website before using this parameter.
-InstallDirectory : The path where the script installs the web application files. By default, this path is
C:\inetpub . Create the custom directory before using this parameter.

-Uninstall: Uninstalls the BitLocker Management Help Desk/Self-Service web portal sites on a web server
where they have been previously installed.

Run the script

On the target web server, do the following actions:

NOTE
Depending upon your site design, you may need to run the script multiple times. For example, run the script on the
management point to install the administration and monitoring website. Then run it again on a standalone web server to
install the self-service portal.

1. Copy the following files from SMSSETUP\BIN\X64 in the Configuration Manager installation folder on the site
server to a local folder on the target server:
MBAMWebSite.cab
MBAMWebSiteInstaller.ps1
2. Run PowerShell as an administrator, and then run the script similar to the following command line:

.\MBAMWebSiteInstaller.ps1 -SqlServerName <ServerName> -SqlInstanceName <InstanceName> -SqlDatabaseName

<DatabaseName> -ReportWebServiceUrl <ReportWebServiceUrl> -HelpdeskUsersGroupName <DomainUserGroup> -
HelpdeskAdminsGroupName <DomainUserGroup> -MbamReportUsersGroupName <DomainUserGroup> -SiteInstall Both

For example,
 .\MBAMWebSiteInstaller.ps1 -SqlServerName sql.contoso.com -SqlInstanceName instance1 -SqlDatabaseName
CM_ABC -ReportWebServiceUrl https://rsp.contoso.com/ReportServer -HelpdeskUsersGroupName
"contoso\BitLocker help desk users" -HelpdeskAdminsGroupName "contoso\BitLocker help desk admins" -
MbamReportUsersGroupName "contoso\BitLocker report users" -SiteInstall Both

IMPORTANT
This example command line uses all of the possible parameters to show their usage. Adjust your use according to
your requirements in your environment.

After installation, access the portals via the following URLs:

Self-service portal: https://webserver.contoso.com/SelfService
Administration and monitoring website: https://webserver.contoso.com/HelpDesk

NOTE
Microsoft recommends but doesn't require the use of HTTPS. For more information, see How to set up SSL on IIS.

Verify
Monitor and troubleshoot using the following logs:
Windows Event logs under Microsoft-Windows-MBAM-Web . For more information, see About BitLocker
event logs and Server event logs.
Trace logs for each component are in the following default locations:
Self-service portal: C:\inetpub\Microsoft BitLocker Management Solution\Logs\Self Service Website

Administration and monitoring website:

C:\inetpub\Microsoft BitLocker Management Solution\Logs\Help Desk Website

For more troubleshooting information, see Troubleshoot BitLocker.

Next steps
Customize the self-service portal
For more information on using the components that you installed, see the following articles:
BitLocker administration and monitoring website
BitLocker self-service portal
 Customize the self-service portal
4/20/2020 • 5 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

After you install the BitLocker self-service portal, you can customize it for your organization. Add a custom notice,
your organization name, and other organization-specific information.

Branding
Brand the self-service portal with your organization's name, help desk URL, and notice text.
1. On the web server that hosts the self-service portal, sign in as an administrator.
2. Start the Internet Information Ser vices (IIS) Manager (run inetmgr.exe ).
3. Expand Sites , expand Default Web Site , and select the SelfSer vice node. In the details pane, ASP.NET
group, open Application Settings .

4. Select the item that you want to change, and in the Actions pane, select Edit . Change the Value to the new
name that you want to use.
Cau t i on

Don't change the Name values. For example, don't change CompanyName , change Contoso IT . If you change
the Name values, the self-service portal will stop working.
The changes take effect immediately.
Supported branding values
For the values that you can set, see the following table:

NAME DESC RIP T IO N DEFA ULT VA L UE

CompanyName The organization name that the self- Contoso IT

service portal displays as a header at
the top of every page.
 NAME DESC RIP T IO N DEFA ULT VA L UE

DisplayNotice Display an initial notice that the user true

has to acknowledge.

HelpdeskText The string in the right pane below "For Contact Helpdesk or IT Department
all other related issues"

HelpdeskUrl The link for the HelpdeskText string. (empty)

NoticeTextPath The text of the initial notice that the Notice.txt

user has to acknowledge. By default,
the full file path on the web server is
C:\inetpub\Microsoft BitLocker
Management Solution\Self Service
Website\Notice.txt
. Edit and save the file in a plain text
editor. This path value is relative to the
SelfService application.

For a screenshot of the default self-service portal, see BitLocker self-service portal.

TIP
If necessary, you can localize some of these strings to display in different languages. For more information, see Localization.

Session time-out
To make the user's session expire after a specified period of inactivity, you can change the session time-out setting
for the self-service portal.
1. On the web server that hosts the self-service portal, sign in as an administrator.
2. Start the Internet Information Ser vices (IIS) Manager (run inetmgr.exe ).
3. Expand Sites , expand Default Web Site , and select the SelfSer vice node. In the details pane, ASP.NET
group, open Session State .
4. In the Cookie Settings group, change the Time-out (in minutes) value. It's the number of minutes after
which the user's session expires. The default value is 5 . To disable the setting, so that there's no time-out,
set the value to 0 .
5. In the Actions pane, select Apply .

Localize helpdesk text and URL

You can configure localized versions of the self-service portal HelpdeskText statement and HelpdeskUrl link. This
string informs users how to get additional help when they use the portal. If you configure localized text, the portal
displays the localized version for web browsers in that language. If it doesn't find a localized version, it displays the
default value in the HelpdeskText and HelpdeskUrl settings.
1. On the web server that hosts the self-service portal, sign in as an administrator.
2. Start the Internet Information Ser vices (IIS) Manager (run inetmgr.exe ).
3. Expand Sites , expand Default Web Site , and select the SelfSer vice node. In the details pane, ASP.NET
group, open Application Settings .
4. In the Actions pane, select Add .
5. In the Add Application Setting window, configure the following values:
Name : enter HelpdeskText_<language> , where <language> is the language code for the text.
For example, to create a localized HelpdeskText statement in Spanish (Spain), the name is
HelpdeskText_es-es .

Value : the localized string to display in the right pane of the self-service portal below "For all other
related issues"
6. Select OK to save the new setting.
7. Repeat this process to add a new application setting for HelpdeskUrl_<language> that matches the associated
HelpdeskText_<language> setting.

Repeat this process to add a pair of settings for all languages that you support in your organization.

Localize the notice file

You can configure localized versions of the initial notice that the user has to acknowledge in the self-service portal.
By default, the full file path on the web server is
C:\inetpub\Microsoft BitLocker Management Solution\Self Service Website\Notice.txt .

To display localized notice text, create a localized notice.txt file. Then save it under a specific language folder. For
example: Self Service Website\es-es\Notice.txt for Spanish (Spain).
The self-service portal displays the notice text based on the following rules:
If the default notice file is missing, the portal displays a message that the default file is missing.
If you create a localized notice file in the appropriate language folder, it displays the localized notice text.
If the web server doesn't find a localized version of the notice file, it displays the default notice.
If the user sets their browser to a language that doesn't have a localized notice, the portal displays the
default notice.
Create a localized notice file
1. On the web server that hosts the self-service portal, sign in as an administrator.
2. Create a <language> folder for each supported language in the Self Service Website application path. For
example, es-es for Spanish (Spain). By default, the full path is
C:\inetpub\Microsoft BitLocker Management Solution\Self Service Website\es-es .
For a list of the valid language codes you can use, see National Language Support (NLS) API Reference.

TIP
The name of the language folder can also be the language neutral name. For example, es for Spanish, instead of es-
es for Spanish (Spain) and es-ar for Spanish (Argentina). If the user sets their browser to es-es , and that language
folder doesn't exist, the web server recursively checks the parent locale folder (es ). (The parent locales are defined in
.NET.) For example, Self Service Website\es\Notice.txt . This recursive fallback mimics the .NET resource loading
rules.

3. Create a copy of your default notice file with the localized text. Save it in the folder for the language code.
For example, for Spanish (Spain), by default the full path is
 C:\inetpub\Microsoft BitLocker Management Solution\Self Service Website\es-es\Notice.txt .

Repeat this process to a localized notice file for all languages that you support in your organization.

Next steps
Now that you've installed and customized the self-service portal, try it out! For more information, see BitLocker
self-service portal.
 View BitLocker reports
4/20/2020 • 8 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

After you install the reports on the reporting services point, you can view the reports. The reports show BitLocker
compliance for the enterprise and for individual devices. They provide tabular information and charts, and have
filters that let you view data from different perspectives.
In the Configuration Manager console, go to the Monitoring workspace, expand Repor ting , and select the
Repor ts node. The following reports are in the BitLocker Management category:
BitLocker Computer Compliance
BitLocker Enterprise Compliance Dashboard
BitLocker Enterprise Compliance Details
BitLocker Enterprise Compliance Summary
Recovery Audit Report
You can access all of these reports directly from the reporting services point website.

NOTE
For these reports to display complete data:
Create and deploy a BitLocker management policy to a device collection
Clients in the target collection need to send hardware inventory

BitLocker computer compliance

Use this report to collect information that's specific to a computer. It provides detailed encryption information
about the OS drive and any fixed data drives. To view the details of each drive, expand the Computer Name entry. It
also indicates the policy that's applied to each drive type on the computer.
You can also use this report to determine the last known BitLocker encryption status of lost or stolen computers.
Configuration Manager determines compliance of the device based on the BitLocker policies that you deploy.
Before you try to determine the BitLocker encryption state of a device, verify the policies that you've deployed to it.

NOTE
This report doesn't show the Removable Data Volume encryption status.

Computer details
C O L UM N N A M E DESC RIP T IO N

Computer name User-specified DNS computer name.

Domain name Fully qualified domain name for the computer.

Computer Type Type of computer, valid types are Non-Por table and
Por table .

Operating system OS type of the computer.

Overall compliance Overall BitLocker compliance status of the computer. Valid

states are Compliant and Non-compliant . The compliance
status per drive may indicate different compliance states.
However, this field represents that compliance state from the
specified policy.

Operating system compliance Compliance status of the OS on the computer. Valid states are
Compliant and Non-compliant .
 C O L UM N N A M E DESC RIP T IO N

Fixed data drive compliance Compliance status of a fixed data drive on the computer. Valid
states are Compliant and Non-compliant .

Last update date Date and time that the computer last contacted the server to
report compliance status.

Exemption Indicates whether the user is exempt or non-exempt from the

BitLocker policy.

Exempted user The user who's exempt from the BitLocker policy.

Exemption date Date on which the exemption was granted.

Compliance status details Error and status messages about the compliance state of the
computer from the specified policy.

Policy cipher strength Cipher strength that you selected in the BitLocker
management policy.

Policy: Operating system drive Indicates if encryption is required for the OS drive and the
appropriate protector type.

Policy: Fixed data drive Indicates if encryption is required for the fixed data drive.

Manufacturer Computer manufacturer name as it appears in the computer

BIOS.

Model Computer manufacturer model name as it appears in the

computer BIOS.

Device users Known users on the computer.

Computer volume
C O L UM N N A M E DESC RIP T IO N

Drive letter The drive letter on the computer.

Drive type Type of drive. Valid values are Operating System Drive and
Fixed Data Drive . These entries are physical drives rather
than logical volumes.

Cipher strength Cipher strength that you selected during in the BitLocker
management policy.

Protector types Type of protector that you selected in the policy to encrypt
the drive. The valid protector types for an OS drive are TPM
or TPM+PIN. The valid protector type for a fixed data drive is
Password .

Protector state Indicates that the computer enabled the protector type
specified in the policy. The valid states are ON or OFF .
 C O L UM N N A M E DESC RIP T IO N

Encryption state Encryption state of the drive. Valid states are Encr ypted , Not
Encr ypted , or Encr ypting .

BitLocker enterprise compliance dashboard

This report provides the following graphs, which show BitLocker compliance status across your organization:
Compliance status distribution
Non-compliant - Errors distribution
Compliance status distribution by drive type

Compliance status distribution

This pie chart shows compliance status for computers in the organization. It also shows the percentage of
computers with that compliance status, compared to the total number of computers in the selected collection. The
actual number of computers with each status is also shown.
The pie chart shows the following compliance statuses:
Compliant
Non-compliant
User exempt
Temporary user exempt
Policy not enforced
 Unknown. These computers reported a status error, or they're part of the collection but have never reported
their compliance status. The lack of a compliance status could occur if the computer is disconnected from
the organization.
Non-compliant - Errors distribution
This pie chart shows the categories of computers in your organization that aren't compliant with the BitLocker
Drive Encryption policy. It also shows the number of computers in each category. The report calculates each
percentage from the total number of non-compliant computers in the collection.
User postponed encryption
Unable to find compatible TPM
System partition not available or large enough
TPM visible but not initialized
Policy conflict
Waiting for TPM auto provisioning
An unknown error has occurred
No information. These computers don't have the BitLocker management agent installed, or it's installed but
not activated. For example, the service isn't working.
Compliance status distribution by drive type
This bar chart shows the current BitLocker compliance status by drive type. The statuses are Compliant and Non-
compliant . Bars are shown for fixed data drives and OS drives. The report includes computers without a fixed data
drive, and only shows a value in the Operating System Drive bar. The chart doesn't include users who have been
granted an exemption from the BitLocker Drive Encryption policy or the No Policy category.

BitLocker enterprise compliance details

This report shows information about the overall BitLocker compliance across your organization for the collection of
computers to which you deployed the BitLocker management policy.

C O L UM N N A M E DESC RIP T IO N
 C O L UM N N A M E DESC RIP T IO N

Managed computers Number of computers to which you deployed a BitLocker

management policy.

% Compliant Percentage of compliant computers in the organization.

% Non-compliant Percentage of non-compliant computers in the organization.

% Unknown compliance Percentage of computers with a compliance state that's not

known.

% Exempt Percentage of computers exempt from the BitLocker

encryption requirement.

% Non-exempt Percentage of computers not exempt from the BitLocker

encryption requirement.

Compliant Count of compliant computers in the organization.

Non-Compliant Count of non-compliant computers in the organization.

Unknown Compliance Count of computers with a compliance state that's not known.

Exempt Count of computers that are exempt from the BitLocker

encryption requirement.

Non-exempt Count of computers that aren't exempt from the BitLocker

encryption requirement.

Computer details
C O L UM N N A M E DESC RIP T IO N

Computer name DNS computer name of the managed device.

Domain name Fully qualified domain name for the computer.

Compliance status Overall compliance status of the computer. Valid states are
Compliant and Non-compliant .

Exemption Indicates whether the user is exempt or non-exempt from the

BitLocker policy.

Device users Users of the device.

Compliance status details Error and status messages about the compliance state of the
computer from the specified policy.

Last contact Date and time that the computer last contacted the server to
report compliance status.

BitLocker enterprise compliance summary

Use this report to show the overall BitLocker compliance across your organization. It also shows the compliance for
individual computers to which you deployed the BitLocker management policy.

C O L UM N N A M E DESC RIP T IO N

Managed computers Number of computers that you manage with BitLocker policy.

% Compliant Percentage of compliant computers in your organization.

% Non-compliant Percentage of non-compliant computers in your organization.

% Unknown compliance Percentage of computers with a compliance state that's not

known.

% Exempt Percentage of computers exempt from the BitLocker

encryption requirement.

% Non-exempt Percentage of computers not exempt from the BitLocker

encryption requirement.

Compliant Count of compliant computers in your organization.

Non-compliant Count of non-compliant computers in your organization.

Unknown compliance Count of computers with a compliance state that's not known.

Exempt Count of computers that are exempt from the BitLocker

encryption requirement.

Non-exempt Count of computers that aren't exempt from the BitLocker

encryption requirement.

Recovery audit report

 NOTE
This report is also available from the BitLocker administration and monitoring website.
To view this report in the Configuration Manager console, go to the Monitoring workspace. In the navigation pane, expand
the Repor ting node, expand Repor ts , and then expand the BitLocker Management folder. Select the subfolder for the
localized version of the report, for example, en-us .

Use this report to audit users who have requested access to BitLocker recovery keys. You can filter on the following
criteria:
A specific type of user, for example, a help desk user or an end user
If the request failed or was successful
The specific type of key requested: Recovery Key Password, Recovery Key ID, or TPM Password Hash
A date range during which the retrieval occurred

C O L UM N N A M E DESC RIP T IO N

Request date and time Date and time that an end user or help desk user requested a
key.

Audit request source The site from where the request came. Valid values are Self-
Ser vice Por tal or Helpdesk .

Request result Status of the request. Valid values are Successful or Failed .
C O L UM N N A M E DESC RIP T IO N

Helpdesk user The administrative user who requested the key. If a helpdesk
admin recovers the key without specifying the user name, the
End User field is blank. A standard helpdesk user must
specify the user name, which appears in this field. For recovery
via the self-service portal, this field and the End User field
display the name of the user making the request.

End user Name of the user who requested key retrieval.

Computer Name of the computer that was recovered.

Key type Type of key that the user requested. The three types of keys
are:

- Recover y key password : used to recover a computer in

recovery mode
- Recover y key ID : used to recover a computer in recovery
mode for another user
- TPM password hash : used to recover a computer with a
locked TPM

Reason description Why the user requested the specified key type, based upon
the option they selected in the form.
 BitLocker administration and monitoring website
4/20/2020 • 6 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

The BitLocker administration and monitoring website is an administrative interface for BitLocker Drive Encryption.
It's also referred to as the help desk portal. Use this website to review reports, recover users' drives, and manage
device TPMs.

Before you can use it, install this component on a web server. For more information, see Set up BitLocker reports
and portals.
Access the administration and monitoring website via the following URL: https://webserver.contoso.com/HelpDesk

NOTE
You can view the Recover y Audit Repor t in the administration and monitoring website. You add other BitLocker
management reports to the reporting services point. For more information, see View BitLocker reports.

Groups
To access specific areas of the administration and monitoring website, your user account needs to be in one of the
following groups. Create these groups in Active Directory using any name you want. When you install this website,
you specify these group names. For more information, see Set up BitLocker reports and portals.

GRO UP DESC RIP T IO N

 GRO UP DESC RIP T IO N

BitLocker help desk admins Provides access to all areas of the administration and
monitoring website. When you help a user recover their
drives, you enter only the recovery key, and not the domain
and user name. If a user is a member of both this group and
the BitLocker help desk users group, the admin group
permissions override the user group permissions.

BitLocker help desk users Provides access to the Manage TPM and Drive Recover y
areas of the administration and monitoring website. When
you use either area, you need to fill in all fields including the
user's domain and account name. If a user is a member of
both this group and the BitLocker help desk admins group,
the admin group permissions override the user group
permissions.

BitLocker report users Provides access to the Repor ts area of the administration and
monitoring website.

Manage TPM
If a user enters the incorrect PIN too many times, they can lockout the TPM. The number of times that a user can
enter an incorrect PIN before the TPM locks varies from manufacturer to manufacturer. From the Manage TPM
area of the administration and monitoring website, access the centralized key recovery data system.
For more information about TPM ownership, see Configure MBAM to escrow the TPM and store OwnerAuth
passwords.

NOTE
Starting with Windows 10, version 1607, Windows doesn't keep the TPM owner password when provisioning the TPM.

1. Go to the administration and monitoring website in the web browser, for example
https://webserver.contoso.com/HelpDesk .

2. In the left pane, select the Manage TPM area.

3. Enter the fully qualified domain name for the computer and the computer name.
4. If necessary, enter the user's domain and user name to retrieve the TPM owner password file.
5. Choose one of the following options for the Reason for requesting TPM owner password file :
Reset PIN lockout
Turn on TPM
Turn off TPM
Change TPM password
Clear TPM
Other
After you Submit the form, the website returns one of the following responses:
If it can't find a matching TPM owner password file, it returns an error message.
The TPM owner password file for the submitted computer
After you retrieve the TPM owner password file, the website displays the owner password.
6. To save the password to a file, select Save .
7. In the Manage TPM area, select the Reset TPM lockout option, and provide the TPM owner password file.
The TPM lockout is reset. BitLocker restores the user's access to the device.

IMPORTANT
Don't share the TPM hash value or TPM owner password file.

Drive recovery
Recover a drive in recovery mode
Drives go into recovery mode in the following scenarios:
The user loses or forgets their PIN or password
The Trusted Module Platform (TPM) detects changes to the BIOS or startup files of the computer
To get a recovery password, use the Drive recover y area of the administration and monitoring website.

IMPORTANT
Recovery passwords expire after a single use. On OS drives and fixed data drives, the single-use rule automatically applies.
On removable drives, it applies when you remove and reinsert the drive.

1. Go to the administration and monitoring website in the web browser, for example
https://webserver.contoso.com/HelpDesk .

2. In the left pane, select the Drive Recover y area.

3. If necessary, enter the user's domain and user name to view recovery information.
4. To see a list of possible matching recovery keys, enter the first eight digits of the recovery key ID. To get the
exact recovery key, enter the entire recovery key ID.
5. Choose one of the following options as the Reason for Drive Unlock :
Operating system boot order changed
BIOS changed
Operating system files modified
Lost startup key
Lost PIN
TPM reset
Lost passphrase
Lost smartcard
Other
After you Submit the form, the website returns one of the following responses:
If the user has multiple matching recovery passwords, it returns multiple possible matches.
The recovery password and recovery package for the submitted user.

NOTE
If you're recovering a damaged drive, the recovery package option provides BitLocker with critical information
that it needs to recover the drive.

If it can't find a matching recovery password, it returns an error message.

After you retrieve the recovery password and recovery package, the website displays the recovery
password.
6. To copy the password, select Copy Key . To save the recovery password to a file, select Save .
To unlock the drive, enter the recovery password or use the recovery package.
Recover a moved drive
When you move a drive to a new computer, because the TPM is different, BitLocker doesn't accept the previous PIN.
To recover the moved drive, get the recovery key ID to retrieve the recovery password.
To recover a moved drive, use the Drive recover y area of the administration and monitoring website.
1. On the computer with the moved drive, start the computer in Windows Recovery Environment (WinRE)
mode.
2. In WinRE, BitLocker treats the moved OS drive as a fixed data drive. BitLocker displays the drive's recovery
password ID and prompts for the recovery password.

NOTE
In some situations, during the startup process select I forgot the PIN if the option is available. Then enter recovery
mode to display the recovery key ID.

3. Use the recovery key ID to get the recovery password from the administration and monitoring website. For
more information, see Recover a drive in recovery mode.
If you configured the moved drive to use a TPM chip on the original computer, complete the following steps.
Otherwise, the recovery process is complete.
1. After you unlock the drive, start the computer in WinRE mode. Open a command prompt in WinRE, and use
the manage-bde command to decrypt the drive. This tool is the only way to remove the TPM + PIN
protector without the original TPM chip. For more information about this command, see Manage-bde.
2. When it's complete, start the computer normally. Configuration Manager will enforce the BitLocker policy to
encrypt the drive with the new computer's TPM plus PIN.
Recover a corrupted drive
Use the recovery key ID to get a recovery key package from the administration and monitoring website. For more
information, see Recover a drive in recovery mode.
1. Save the Recover y Key Package on your computer, then copy it to the computer with the corrupted drive.
2. Open a command prompt as an administrator, and type the following command:
repair-bde <corrupted drive> <fixed drive> -kp <key package> -rp <recovery password>

Replace the following values:

<corrupted drive> : The drive letter of the corrupted drive, for example D:
<fixed drive> : The drive letter of an available hard disk drive of similar or larger size than the corrupted
drive. BitLocker recovers and moves data on the corrupted drive to the specified drive. All data on this
drive is overwritten.
<key package> : The location of the recovery key package
<recovery password> : The associated recovery password
For example:
repair-bde C: D: -kp F:\RecoveryKeyPackage -rp 111111-222222-333333-444444-555555-666666-777777-888888

For more information about this command, see Repair-bde.

Reports
The administration and monitoring website includes the Recover y Audit Repor t . Other reports are available
from the Configuration Manager reporting services point. For more information, see View BitLocker reports.
1. Go to the administration and monitoring website in the web browser, for example
https://webserver.contoso.com/HelpDesk .

2. In the left pane, select the Repor ts area.

3. From the top menu bar, select the Recover y Audit Repor t .
For more information on this report, see Recovery Audit Report

TIP
To save report results, select Expor t on the Repor ts menu bar.
 BitLocker self-service portal
4/20/2020 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

After you install the BitLocker self-service portal, if BitLocker locks a user's device, they can independently get
access to their computers. The self-service portal requires no assistance from help desk staff.

IMPORTANT
To get a recovery key from the self-service portal, a user must have successfully signed in to the computer at least once. This
sign-in must be local to the device, not in a remote session. Otherwise, they need to contact the help desk for key recovery.
A help desk administrator can use the administration and monitoring website to request the recovery key.

BitLocker can lock the device in the following situations:

The user forgets their BitLocker password or PIN
 There's a change to the device's OS files, BIOS, or Trusted Platform Module (TPM)
To request the BitLocker recovery key from the self-service portal:
1. When BitLocker locks a device, it displays the BitLocker recovery screen during startup. Write down the 32-
digit BitLocker recovery key ID.
2. On another computer, go to the self-service portal in the web browser, for example
https://webserver.contoso.com/SelfService .

3. Read and accept the notice.

4. In the Recover y Key ID field, enter the first eight digits of the BitLocker recovery key ID. If it matches
multiple keys, then enter all 32 digits.
5. Choose one of the following options for the Reason for this request:
BIOS/TPM changed
OS filed modified
Lost PIN/passphrase
6. Select Get Key . The self-service portal displays the 48-digit BitLocker recover y key .
7. Enter this 48-digit code into the BitLocker recovery screen on your computer.

NOTE
The BitLocker self-service portal may timeout after a period of inactivity. For example, after five minutes you may see a
timeout warning with a 60 second counter.

If you don't respond to the countdown, the session will expire.

 Windows Hello for Business settings in Configuration
Manager
4/20/2020 • 5 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Configuration Manager integrates with Windows Hello for Business. (This feature was formerly known as Microsoft
Passport for Work.) Windows Hello for Business is an alternative sign-in method for Windows 10 devices. It uses
Active Directory or an Azure Active Directory (Azure AD) account to replace a password, smart card, or virtual
smart card. Hello for Business lets you use a user gesture to sign in instead of a password. A user gesture might be
a PIN, biometric authentication, or an external device such as a fingerprint reader.

IMPORTANT
Starting in version 1910, certificate-based authentication with Windows Hello for Business settings in Configuration Manager
isn't supported. For more information, see deprecated features. Key-based authentication is still valid.
Active Directory Federation Services Registration Authority (ADFS RA) deployment is simpler, provides a better user
experience, and has a more deterministic certificate enrollment experience. Use ADFS RA for certificate-based authentication
with Windows Hello for Business.
For co-managed devices, consider moving the Resource access policies workload to Intune. Then use Intune policies to
manage these certificates. For more information, see How to switch workloads.

For more information, see Windows Hello for Business.

NOTE
Configuration Manager doesn't enable this optional feature by default. You must enable this feature before using it. For more
information, see Enable optional features from updates.

Configuration Manager integrates with Windows Hello for Business in the following ways:
Control which gestures users can and can't use to sign in.
Store authentication certificates in the Windows Hello for Business key storage provider (KSP). For more
information, see Certificate profiles.
Create and deploy a Windows Hello for Business profile to control its settings on domain-joined Windows
10 devices that run the Configuration Manager client. Starting in version 1910, you can't use certificate-
based authentication. When using key-based authentication, you don't need to deploy a certificate profile.

Configure a profile
1. In the Configuration Manager console, go to the Assets and Compliance workspace. Expand Compliance
Settings , expand Company Resource Access , and select the Windows Hello for Business Profiles
node.
2. In the ribbon, select Create Windows Hello for Business Profile to start the profile wizard.
3. On the General page, specify a name and an optional description for this profile.
4. On the Suppor ted Platforms page, select the OS versions to which this profile should apply.
5. On the Settings page, configure the following settings:
Configure Windows Hello for Business : Specify whether this profile enables, disables, or doesn't
configure Hello for Business.
Use a Trusted Platform Module (TPM) : A TPM provides an additional layer of data security.
Choose one of the following values:
Required : Only devices with an accessible TPM can provision Windows Hello for Business.
Preferred : Devices first attempt to use a TPM. If it's not available, they can use software
encryption.
Authentication method : Set this option to Not configured or Key-based .

NOTE
Starting in version 1910, certificate-based authentication with Windows Hello for Business settings in
Configuration Manager isn't supported.

Configure minimum PIN length : If you want to require a minimum length for the user's PIN,
enable this option and specify a value. When enabled, the default value is 4 .
Configure maximum PIN length : If you want to require a maximum length for the user's PIN,
enable this option and specify a value. When enabled the default value is 127 .
Require PIN expiration (days) : Specifies the number of days before the user must change the
device PIN.
Prevent reuse of previous PINs : Don't allow users to use PINs they have previously used.
Require upper-case letters in PIN : Specifies whether users must include uppercase letters in the
Windows Hello for Business PIN. Choose from:
Allowed : Users can use uppercase characters in their PIN, but don't have to.
Required : Users must include at least one uppercase character in their PIN.
Not allowed : Users can't use uppercase characters in their PIN.
Require lower-case letters in PIN : Specifies whether users must include lowercase letters in the
Windows Hello for Business PIN. Choose from:
Allowed : Users can use lowercase characters in their PIN, but don't have to.
Required : Users must include at least one lowercase character in their PIN.
Not allowed : Users can't use lowercase characters in their PIN.
Configure special characters : Specifies the use of special characters in the PIN. Choose from:

NOTE
Special characters include the following set:

! " # $ % & ' ( ) * + , - . / : ; < = > ? @ [ \ ] ^ _ ` { | } ~

 Allowed : Users can use special characters in their PIN, but don't have to.
Required : Users must include at least one special character in their PIN.
Not allowed : Users can't use special characters in their PIN. This behavior is also if the setting
is Not configured .
Configure the use of digits in PIN : Specifies the use of numbers in the PIN. Choose from:
Allowed : Users can use numbers in their PIN, but don't have to.
Required : Users must include at least one number in their PIN.
Not allowed : Users can't use numbers in their PIN.
Enable biometric gestures : Use biometric authentication such as facial recognition or fingerprint.
These modes are an alternative to a PIN for Windows Hello for Business. Users still configure a PIN in
case biometric authentication fails.
If set to Yes , Windows Hello for Business allows biometric authentication. If set to No , Windows Hello
for Business prevents biometric authentication for all account types.
Use enhanced anti-spoofing : Configures enhanced anti-spoofing on devices that support it. If set
to Yes , where supported, Windows requires all users to use anti-spoofing for facial features.
Use Phone Sign In : Configures two-factor authentication with a mobile phone.
6. Complete the wizard.
The following screenshot is an example of Windows Hello for Business profile settings:

Configure permissions
1. As a Domain Administrator or equivalent credentials, sign in to a secure, administrative workstation that has
the following optional feature installed: RSAT: Active Directory Domain Services and Lightweight Directory
Services Tools.
2. Open the Active Director y Users and Computers console.
 3. Select the domain, go to the Action Menu, and select Proper ties .
4. Switch to the Security tab, and select Advanced .

TIP
If you don't see the Security tab, close the properties window. Go to the View menu, and select Advanced
Features .

5. Select Add .
6. Choose Select a principal and enter Key Admins .
7. From the Applies to list, select Descendant User objects .
8. At the bottom of the page, select Clear all .
9. In the Proper ties section, select Read msDS-KeyCredentialLink .
10. Select OK to save your changes and close all windows.

Next steps
Certificate profiles
 Introduction to certificate profiles in Configuration
Manager
4/20/2020 • 6 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Certificate profiles work with Active Directory Certificate Services and the Network Device Enrollment Service
(NDES) role. Create and deploy authentication certificates for managed devices so that users can easily access
organizational resources. For example, you can create and deploy certificate profiles to provide the necessary
certificates for users to connect to VPN and wireless connections.
Certificate profiles can automatically configure user devices for access to organizational resources such as Wi-Fi
networks and VPN servers. Users can access these resources without manually installing certificates or using an
out-of-band process. Certificate profiles help to secure resources because you can use more secure settings that
are supported by your public key infrastructure (PKI). For example, require server authentication for all Wi-Fi and
VPN connections because you've deployed the required certificates on the managed devices.
Certificate profiles provide the following management capabilities:
Certificate enrollment and renewal from a certification authority (CA) for devices that run different OS
types and versions. These certificates can then be used for Wi-Fi and VPN connections.
Deployment of trusted root CA certificates and intermediate CA certificates. These certificates configure a
chain of trust on devices for VPN and Wi-Fi connections when server authentication is required.
Monitor and report about the installed certificates.
Example 1 : All employees need to connect to Wi-Fi hotspots in multiple office locations. To enable easy user
connection, first deploy the certificates needed to connect to Wi-Fi. Then deploy Wi-Fi profiles that reference the
certificate.
Example 2 : You have a PKI in place. You want to move to a more flexible, secure method of deploying certificates.
Users need to access organizational resources from their personal devices without compromising security.
Configure certificate profiles with settings and protocols that are supported for the specific device platform. The
devices can then automatically request these certificates from an internet-facing enrollment server. Then,
configure VPN profiles to use these certificates so that the device can access organizational resources.

Types
There are three types of certificate profiles:
Trusted CA cer tificate : Deploy a trusted root CA or intermediate CA certificate. These certificates form a
chain of trust when the device must authenticate a server.
Simple Cer tificate Enrollment Protocol (SCEP) : Request a certificate for a device or user by using the
SCEP protocol. This type requires the Network Device Enrollment Service (NDES) role on a server running
Windows Server 2012 R2 or later.
To create a Simple Cer tificate Enrollment Protocol (SCEP) certificate profile, first create a Trusted CA
cer tificate profile.
Personal information exchange (.pfx) : Request a .pfx (also known as PKCS #12) certificate for a device
or user. There are two methods to create PFX certificate profiles:
 Import credentials from existing certificates
Define a certificate authority to process requests

NOTE
Configuration Manager doesn't enable this optional feature by default. You must enable this feature before using it.
For more information, see Enable optional features from updates.

You can use Microsoft or Entrust as certificate authorities for Personal information exchange (.pfx)
certificates.

Requirements
To deploy certificate profiles that use SCEP, install the certificate registration point on a site system server. Also
install a policy module for NDES, the Configuration Manager Policy Module, on a server that runs Windows Server
2012 R2 or later. This server requires the Active Directory Certificate Services role. It also requires a working NDES
that's accessible to the devices that require the certificates. If your devices need to enroll for certificates from the
internet, then your NDES server must be accessible from the internet. For example, to safely enable traffic to the
NDES server from the internet, you can use Azure Application Proxy.
PFX certificates also require a certificate registration point. Also specify the certificate authority (CA) for the
certificate and the relevant access credentials. You can specify either Microsoft or Entrust as certificate authorities.
For more information about how NDES supports a policy module so that Configuration Manager can deploy
certificates, see Using a Policy Module with the Network Device Enrollment Service.
Depending on the requirements, Configuration Manager supports deploying certificates to different certificate
stores on various device types and operating systems. The following devices and operating systems are
supported:
Windows 10
Windows 10 Mobile
Windows 8.1
Windows Phone 8.1

NOTE
Use Configuration Manager on-premises MDM to manage Windows Phone 8.1 and Windows 10 Mobile. For more
information, see On-premises MDM.

A typical scenario for Configuration Manager is to install trusted root CA certificates to authenticate Wi-Fi and
VPN servers. Typical connections use the following protocols:
Authentication protocols: EAP-TLS, EAP-TTLS, and PEAP
VPN tunneling protocols: IKEv2, L2TP/IPsec, and Cisco IPsec
An enterprise root CA certificate must be installed on the device before the device can request certificates by using
a SCEP certificate profile.
You can specify settings in a SCEP certificate profile to request customized certificates for different environments
or connectivity requirements. The Create Cer tificate Profile Wizard has two pages for enrollment parameters.
The first, SCEP Enrollment , includes settings for the enrollment request and where to install the certificate. The
second, Cer tificate Proper ties , describes the requested certificate itself.
Deploy
When you deploy a SCEP certificate profile, the Configuration Manager client processes the policy. It then requests
a SCEP challenge password from the management point. The device creates a public/private key pair, and
generates a certificate signing request (CSR). It sends this request to the NDES server. The NDES server forwards
the request to the certificate registration point site system via the NDES policy module. The certificate registration
point validates the request, checks the SCEP challenge password, and verifies that the request wasn't tampered
with. It then approves or denies the request. If approved, the NDES server sends the signing request to the
connected certificate authority (CA) for signing. The CA signs the request, and then it returns the certificate to the
requesting device.
Deploy certificate profiles to user or device collections. You can specify the destination store for each certificate.
Applicability rules determine whether the device can install the certificate.
When you deploy a certificate profile to a user collection, user device affinity determines which of the users'
devices install the certificates. When you deploy a certificate profile with a user certificate to a device collection, by
default each of the users' primary devices install the certificates. To install the certificate on any of the users'
devices, change this behavior on the SCEP Enrollment page of the Create Cer tificate Profile Wizard . If the
devices are in a workgroup, Configuration Manager doesn't deploy user certificates.

Monitor
You can monitor certificate profile deployments by viewing compliance results or reports. For more information,
see How to monitor certificate profiles.

Automatic revocation
Configuration Manager automatically revokes user and computer certificates that were deployed by using
certificate profiles in the following circumstances:
The device is retired from Configuration Manager management.
The device is blocked from the Configuration Manager hierarchy.
To revoke the certificates, the site server sends a revocation command to the issuing certification authority. The
reason for the revocation is Cease of Operation .

NOTE
To properly revoke a certificate, the computer account for the top-level site in the hierarchy needs the permission to issue
and manage cer tificates on the CA.
For improved security, you can also restrict CA managers on the CA. Then only give this account permissions on the specific
certificate template that you use for the SCEP profiles on the site.

Next steps
Create certificate profiles
Configure certificate infrastructure
 Create certificate profiles
4/20/2020 • 10 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Use certificate profiles in Configuration Manager to provision managed devices with the certificates they need to
access company resources. Before creating certificate profiles, set up the certificate infrastructure as described in
Set up certificate infrastructure.

TIP
For co-managed devices, consider moving the Resource access policies workload to Intune. Then use Intune policies to
manage these certificates. For more information, see How to switch workloads.

This article describes how to create trusted root and Simple Certificate Enrollment Protocol (SCEP) certificate
profiles. If you want to create PFX certificate profiles, see Create PFX certificate profiles.
To create a certificate profile:
1. Start the Create Certificate Profile Wizard.
2. Provide general information about the certificate.
3. Configure a trusted certificate authority (CA) certificate.
4. Configure SCEP certificate information.
5. Specify supported platforms for the certificate profile.

Start the wizard

To start the Create Certificate Profile:
1. In the Configuration Manager console, go to the Assets and Compliance workspace, expand
Compliance Settings , expand Company Resource Access , and then select the Cer tificate Profiles
node.
2. On the Home tab of the ribbon, in the Create group, select Create Cer tificate Profile .

General
On the General page of the Create Certificate Profile Wizard, specify the following information:
Name : Enter a unique name for the certificate profile. You can use a maximum of 256 characters.
Description : Provide a description that gives an overview of the certificate profile. Also include other
relevant information that helps to identify it in the Configuration Manager console. You can use a maximum
of 256 characters.
Specify the type of certificate profile that you want to create:
Trusted CA cer tificate : Select this type to deploy a trusted root certification authority (CA) or
intermediate CA certificate to form a certificate chain of trust when the user or device must
authenticate another device. For example, the device might be a Remote Authentication Dial-In User
Service (RADIUS) server or a virtual private network (VPN) server.
Also configure a trusted CA certificate profile before you can create a SCEP certificate profile. In this
 case, the trusted CA certificate must be for the CA that issues the certificate to the user or device.
Simple Cer tificate Enrollment Protocol (SCEP) settings : Select this type to request a certificate
for a user or device with the Simple Certificate Enrollment Protocol and the Network Device
Enrollment Service (NDES) role service.
Personal Information Exchange PKCS #12 (PFX) settings - Impor t : Select this option to
import a PFX certificate. For more information, see Import PFX certificate profiles.
Personal Information Exchange PKCS #12 (PFX) settings - Create : Select this option to
process PFX certificates using a certificate authority. For more information, see Create PFX certificate
profiles.

Trusted CA certificate
IMPORTANT
Before you create a SCEP certificate profile, configure at least one trusted CA certificate profile.
After the certificate is deployed, if you change any of these values, a new certificate is requested:
Key Storage Provider
Certificate template name
Certificate type
Subject name format
Subject alternative name
Certificate validity period
Key usage
Key size
Extended key usage
Root CA certificate

1. On the Trusted CA Cer tificate page of the Create Certificate Profile Wizard, specify the following
information:
Cer tificate file : Select Impor t , and then browse to the certificate file.
Destination store : For devices that have more than one certificate store, select where to store the
certificate. For devices that have only one store, this setting is ignored.
2. Use the Cer tificate thumbprint value to verify that you've imported the correct certificate.

SCEP certificates
1. SCEP Servers
On the SCEP Ser vers page of the Create Certificate Profile Wizard, specify the URLs for the NDES Servers that
will issue certificates via SCEP. You can automatically assign an NDES URL based on the configuration of the
certificate registration point, or add URLs manually.
2. SCEP Enrollment
Complete the SCEP Enrollment page of the Create Certificate Profile Wizard.
Retries : Specify the number of times that the device automatically retries the certificate request to the
NDES server. This setting supports the scenario where a CA manager must approve a certificate request
before it's accepted. This setting is typically used for high-security environments or if you have a stand-
alone issuing CA rather than an enterprise CA. You might also use this setting for testing purposes so that
 you can inspect the certificate request options before the issuing CA processes the certificate request. Use
this setting with the Retr y delay (minutes) setting.
Retr y delay (minutes) : Specify the interval, in minutes, between each enrollment attempt when you use
CA manager approval before the issuing CA processes the certificate request. If you use manager approval
for testing purposes, specify a low value. Then you're not waiting a long time for the device to retry the
certificate request after you approve the request.
If you use manager approval on a production network, specify a higher value. This behavior allows
sufficient time for the CA administrator to approve or deny pending approvals.
Renewal threshold (%) : Specify the percentage of the certificate lifetime that remains before the device
requests renewal of the certificate.
Key Storage Provider (KSP) : Specify where the key to the certificate is stored. Choose from one of the
following values:
Install to Trusted Platform Module (TPM) if present : Installs the key to the TPM. If the TPM isn't
present, the key is installed to the storage provider for the software key.
Install to Trusted Platform Module (TPM) other wise fail : Installs the key to the TPM. If the TPM
module isn't present, the installation fails.
Install to Windows Hello for Business other wise fail : This option is available for Windows 10
devices. It allows you to store the certificate in the Windows Hello for Business store, which is
protected by multi-factor authentication. For more information, see Windows Hello for Business.

NOTE
This option doesn't support Smart card logon for the Enhanced key usage on the Certificate Properties page.

Install to Software Key Storage Provider : Installs the key to the storage provider for the
software key.
Devices for cer tificate enrollment : If you deploy the certificate profile to a user collection, allow
certificate enrollment only on the user's primary device, or on any device to which the user signs in.
If you deploy the certificate profile to a device collection, allow certificate enrollment for only the primary
user of the device, or for all users that sign in to the device.
3. Certificate Properties
On the Cer tificate Proper ties page of the Create Certificate Profile Wizard, specify the following information:
Cer tificate template name : Select the name of a certificate template that you configured in NDES and
added to an issuing CA. To successfully browse to certificate templates, your user account needs Read
permission to the certificate template. If you can't Browse for the certificate, type its name.

IMPORTANT
If the certificate template name contains non-ASCII characters, the certificate isn't deployed. (One example of these
characters is from the Chinese alphabet.) To make sure that the certificate is deployed, first create a copy of the
certificate template on the CA. Then rename the copy by using ASCII characters.

If you browse to select the name of the certificate template, some fields on the page automatically
populate from the certificate template. In some cases, you can't change these values unless you
choose a different certificate template.
 If you type the name of the certificate template, make sure that the name exactly matches one of the
certificate templates. It must match the names that are listed in the registry of the NDES server. Make
sure that you specify the name of the certificate template, and not the display name of the certificate
template.
To find the names of certificate templates, browse to the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MSCEP . It lists the certificate templates as the
values for Encr yptionTemplate , GeneralPurposeTemplate , and SignatureTemplate . By default,
the value for all three certificate templates is IPSECIntermediateOffline , which maps to the
template display name of IPSec (Offline request) .

WARNING
When you type the name of the certificate template, Configuration Manager can't verify the contents of the
certificate template. You may be able to select options that the certificate template doesn't support, which
may result in a failed certificate request. When this behavior happens, you'll see an error message for
w3wp.exe in the CPR.log file that the template name in the certificate signing request (CSR) and the challenge
don't match.
When you type the name of the certificate template that's specified for the GeneralPurposeTemplate
value, select the Key encipherment and the Digital signature options for this certificate profile. If you
want to enable only the Key encipherment option in this certificate profile, specify the certificate template
name for the Encr yptionTemplate key. Similarly, if you want to enable only the Digital signature option
in this certificate profile, specify the certificate template name for the SignatureTemplate key.

Cer tificate type : Select whether you'll deploy the certificate to a device or a user.
Subject name format : Select how Configuration Manager automatically creates the subject name in the
certificate request. If the certificate is for a user, you can also include the user's email address in the subject
name.

NOTE
If you select IMEI number or Serial number , you can differentiate between different devices that are owned by
the same user. For example, those devices could share a common name, but not an IMEI number or serial number. If
the device doesn't report an IMEI or serial number, the certificate is issued with the common name.

Subject alternative name : Specify how Configuration Manager automatically creates the values for the
subject alternative name (SAN) in the certificate request. For example, if you selected a user certificate type,
you can include the user principal name (UPN) in the subject alternative name. If the client certificate will
authenticate to a Network Policy Server, set the subject alternative name to the UPN.
Cer tificate validity period : If you set a custom validity period on the issuing CA, specify the amount of
remaining time before the certificate expires.

TIP
Set a custom validity period with the following command line:
certutil -setreg Policy\EditFlags +EDITF_ATTRIBUTEENDDATE For more information about this command, see
Certificate infrastructure.

You can specify a value that's lower than the validity period in the specified certificate template, but not
higher. For example, if the certificate validity period in the certificate template is two years, you can specify a
value of one year, but not a value of five years. The value must also be lower than the remaining validity
 period of the issuing CA's certificate.
Key usage : Specify key usage options for the certificate. Choose from the following options:
Key encipherment : Allow key exchange only when the key is encrypted.
Digital signature : Allow key exchange only when a digital signature helps protect the key.
If you browsed for a certificate template, you can't change these settings, unless you select a different
certificate template.
Configure the selected certificate template with one or both of the two key usage options above. If not,
you'll see the following message in the certificate registration point log file, Crp.log : Key usage in CSR
and challenge do not match
Key size (bits) : Select the size of the key in bits.
Extended key usage : Add values for the certificate's intended purpose. In most cases, the certificate
requires Client Authentication so that the user or device can authenticate to a server. You can add any
other key usages as required.
Hash algorithm : Select one of the available hash algorithm types to use with this certificate. Select the
strongest level of security that the connecting devices support.

NOTE
SHA-2 supports SHA-256, SHA-384, and SHA-512. SHA-3 supports only SHA-3.

Root CA cer tificate : Choose a root CA certificate profile that you previously configured and deployed to
the user or device. This CA certificate must be the root certificate for the CA that will issue the certificate
that you're configuring in this certificate profile.

IMPORTANT
If you specify a root CA certificate that's not deployed to the user or device, Configuration Manager won't initiate the
certificate request that you're configuring in this certificate profile.

Supported platforms
On the Suppor ted Platforms page of the Create Certificate Profile Wizard, select the OS versions where you
want to install the certificate profile. Choose Select all to install the certificate profile to all available operating
systems.

Next steps
The new certificate profile appears in the Cer tificate Profiles node in the Assets and Compliance workspace.
It's ready for you to deploy to users or devices. For more information, see How to deploy profiles.
 Configure certificate infrastructure
4/28/2020 • 10 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Learn to configure certificate infrastructure in Configuration Manager. Before you start, check for any prerequisites
that are listed in Prerequisites for certificate profiles.
Use these steps to configure your infrastructure for SCEP, or PFX certificates.

Step 1 - Install and Configure the Network Device Enrollment Service

and Dependencies (for SCEP certificates only)
You must install and configure the Network Device Enrollment Service role service for Active Directory Certificate
Services (AD CS), change the security permissions on the certificate templates, deploy a public key infrastructure
(PKI) client authentication certificate, and edit the registry to increase the Internet Information Services (IIS) default
URL size limit. If necessary, you must also configure the issuing certification authority (CA) to allow a custom
validity period.

IMPORTANT
Before you configure Configuration Manager to work with the Network Device Enrollment Service, verify the installation and
configuration of the Network Device Enrollment Service. If these dependencies are not working correctly, you will have
difficulty troubleshooting certificate enrollment by using Configuration Manager.

To install and configure the Network Device Enrollment Service and dependencies
1. On a server that is running Windows Server 2012 R2, install and configure the Network Device Enrollment
Service role service for the Active Directory Certificate Services server role. For more information, see
Network Device Enrollment Service Guidance.
2. Check, and if necessary, modify the security permissions for the certificate templates that the Network
Device Enrollment Service is using:
For the account that runs the Configuration Manager console: Read permission.
This permission is required so that when you run the Create Certificate Profile Wizard, you can
browse to select the certificate template that you want to use when you create a SCEP settings
profile. Selecting a certificate template means that some settings in the wizard are automatically
populated, so there is less for you to configure and there is less risk of selecting settings that are not
compatible with the certificate templates that the Network Device Enrollment Service is using.
For the SCEP Service account that the Network Device Enrollment Service application pool uses:
Read and Enroll permissions.
This requirement is not specific to Configuration Manager but is part of configuring the Network
Device Enrollment Service. For more information, see Network Device Enrollment Service Guidance.
 TIP
To identify which certificate templates the Network Device Enrollment Service is using, view the following registry key
on the server that is running the Network Device Enrollment Service:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MSCEP.

NOTE
These are the default security permissions that will be appropriate for most environments. However, you can use an
alternative security configuration. For more information, see Planning for certificate template permissions for
certificate profiles.

3. Deploy to this server a PKI certificate that supports client authentication. You might already have a suitable
certificate installed on the computer that you can use, or you might have to (or prefer to) deploy a
certificate specifically for this purpose. For more information about the requirements for this certificate,
refer to the details for Servers running the Configuration Manager Policy Module with the Network Device
Enrollment Service role service in the PKI Cer tificates for Ser vers section in the PKI certificate
requirements for Configuration Manager topic.

TIP
If you need help deploying this certificate, you can use the instructions for Deploying the Client Certificate for
Distribution Points, because the certificate requirements are the same with one exception:
Do not select the Allow private key to be expor ted check box on the Request Handling tab of the
properties for the certificate template.
You do not have to export this certificate with the private key because you will be able to browse to the local
Computer store and select it when you configure the Configuration Manager Policy Module.

4. Locate the root certificate that the client authentication certificate chains to. Then, export this root CA
certificate to a certificate (.cer) file. Save this file to a secured location that you can securely access when
you later install and configure the site system server for the certificate registration point.
5. On the same server, use the registry editor to increase the IIS default URL size limit by setting the following
registry key DWORD values in
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters:
Set the MaxFieldLength key to 65534 .
Set the MaxRequestBytes key to 16777216 .
For more information, see Microsoft Support article 820129: Http.sys registry settings for Windows.
6. On the same server, in Internet Information Services (IIS) Manager, modify the request-filtering settings for
the /certsrv/mscep application, and then restart the server. In the Edit Request Filtering Settings dialog
box, the Request Limits settings should be as follows:
Maximum allowed content length (Bytes) : 30000000
Maximum URL length (Bytes) : 65534
Maximum quer y string (Bytes) : 65534
For more information about these settings and how to configure them, see IIS Requests Limits.
7. If you want to be able to request a certificate that has a lower validity period than the certificate template
 that you are using: This configuration is disabled by default for an enterprise CA. To enable this option on an
enterprise CA, use the Certutil command-line tool, and then stop and restart the certificate service by using
the following commands:
a. cer tutil - setreg Policy\EditFlags +EDITF_ATTRIBUTEENDDATE
b. net stop cer tsvc
c. net star t cer tsvc
For more information, see Certificate services tools and settings.
8. Verify that the Network Device Enrollment Service is working by using the following link as an example:
https://server.contoso.com/certsrv/mscep/mscep.dll . You should see the built-in Network Device
Enrollment Service webpage. This webpage explains what the service is and explains that network devices
use the URL to submit certificate requests.
Now that the Network Device Enrollment Service and dependencies are configured, you are ready to install
and configure the certificate registration point.

Step 2 - Install and configure the certificate registration point.

You must install and configure at least one certificate registration point in the Configuration Manager hierarchy,
and you can install this site system role in the central administration site or in a primary site.

IMPORTANT
Before you install the certificate registration point, see the Site System Requirements section in the Supported
configurations for Configuration Manager topic for operating system requirements and dependencies for the certificate
registration point.

To i n st a l l a n d c o n fi g u r e t h e c e r t i fi c a t e r e g i st r a t i o n p o i n t

1. In the Configuration Manager console, click Administration .

2. In the Administration workspace, expand Site Configuration , click Ser vers and Site System Roles ,
and then select the server that you want to use for the certificate registration point.
3. On the Home tab, in the Ser ver group, click Add Site System Roles .
4. On the General page, specify the general settings for the site system, and then click Next .
5. On the Proxy page, click Next . The certificate registration point does not use Internet proxy settings.
6. On the System Role Selection page, select Cer tificate registration point from the list of available
roles, and then click Next .
7. On the Cer tificate Registration Mode page, select whether you want this certificate registration point to
Process SCEP cer tificate requests , or Process PFX cer tificate requests . A certificate registration
point cannot process both kinds of requests, but you can create multiple certificate registration points if you
are working with both certificate types.
If processing PFX certificates, you'll need to choose a certificate authority, either Microsoft or Entrust.
8. The Cer tificate Registration Point Settings page varies according to the certificate type:
If you selected Process SCEP cer tificate requests , then configure the following:
Website name , HTTPS por t number , and Vir tual application name for the certificate
registration point. These fields are filled in automatically with default values.
 URL for the Network Device Enrollment Ser vice and root CA cer tificate - Click Add ,
then in the Add URL and Root CA Cer tificate dialog box, specify the following:
URL for the Network Device Enrollment Ser vice : Specify the URL in the following
format: https://<server_FQDN>/certsrv/mscep/mscep.dll. For example, if the FQDN of
your server that is running the Network Device Enrollment Service is server1.contoso.com,
type https://server1.contoso.com/certsrv/mscep/mscep.dll .
Root CA Cer tificate : Browse to and select the certificate (.cer) file that you created and
saved in Step 1: Install and configure the Network Device Enrollment Ser vice
and dependencies . This root CA certificate allows the certificate registration point to
validate the client authentication certificate that the Configuration Manager Policy Module
will use.
If you selected Process PFX cer tificate requests , you configure the connection details and
credentials for the selected certificate authority.
To use Microsoft as the certificate authority, click Add then in the Add a Cer tificate
Authority and Account dialog box, specify the following:
Cer tificate Authority Ser ver Name - Enter the name of your certificate authority
server.
Cer tificate Authority Account - Click Set to select, or create the account that has
permissions to enroll in templates on the certification authority.
Cer tificate Registration Point Connection Account - Select or create the account
that connects the certificate registration point to the Configuration Manager database.
Alteratively, you can use the local computer account of the computer hosting the
certificate registration point.
Active Director y Cer tificate Publishing Account - Select an account, or create a
new account that will be used to publish certificates to user objects in Active Directory.
In the URL for the Network Device Enrollment and root CA cer tificate dialog
box, specify the following, and then click OK :
To use Entrust as the certificate authority, specify:
The MDM web ser vice URL
The username and password credentials for the URL.
When using the MDM API to define the Entrust web service URL, be sure to use at least
version 9 of the API, as shown in the following sample:
https://entrust.contoso.com:19443/mdmws/services/AdminServiceV9

Earlier versions of the API do not support Entrust.

9. Click Next and complete the wizard.
10. Wait a few minutes to let the installation finish, and then verify that the certificate registration point was
installed successfully by using any of the following methods:
In the Monitoring workspace, expand System Status , click Component Status , and look for
status messages from the SMS_CERTIFICATE_REGISTRATION_POINT component.
On the site system server, use the <ConfigMgr Installation Path>\Logs\crpsetup.log file and
<ConfigMgr Installation Path>\Logs\crpmsi.log file. A successful installation will return an exit code
of 0.
 By using a browser, verify that you can connect to the URL of the certificate registration point. For
example, https://server1.contoso.com/CMCertificateRegistration . You should see a Ser ver Error
page for the application name, with an HTTP 404 description.
11. Locate the exported certificate file for the root CA that the certificate registration point automatically
created in the following folder on the primary site server computer: <ConfigMgr Installation
Path>\inboxes\certmgr.box. Save this file to a secured location that you can securely access when you later
install the Configuration Manager Policy Module on the server that is running the Network Device
Enrollment Service.

TIP
This certificate is not immediately available in this folder. You might need to wait awhile (for example, half an hour)
before Configuration Manager copies the file to this location.

Step 3 - Install the Configuration Manager Policy Module (for SCEP

certificates only).
You must install and configure the Configuration Manager Policy Module on each server that you specified in Step
2: Install and configure the cer tificate registration point as URL for the Network Device Enrollment
Ser vice in the properties for the certificate registration point.
To i n st a l l t h e P o l i c y M o d u l e

1. On the server that runs the Network Device Enrollment Service, log on as a domain administrator and copy
the following files from the <ConfigMgrInstallationMedia>\SMSSETUP\POLICYMODULE\X64 folder on the
Configuration Manager installation media to a temporary folder:
PolicyModule.msi
PolicyModuleSetup.exe
In addition, if you have a LanguagePack folder on the installation media, copy this folder and its contents.
2. From the temporary folder, run PolicyModuleSetup.exe to start the Configuration Manager Policy Module
Setup wizard.
3. On the initial page of the wizard, click Next , accept the license terms, and then click Next .
4. On the Installation Folder page, accept the default installation folder for the policy module or specify an
alternative folder, and then click Next .
5. On the Cer tificate Registration Point page, specify the URL of the certificate registration point by using
the FQDN of the site system server and the virtual application name that is specified in the properties for
the certificate registration point. The default virtual application name is CMCertificateRegistration. For
example, if the site system server has an FQDN of server1.contoso.com and you used the default virtual
application name, specify https://server1.contoso.com/CMCertificateRegistration .
6. Accept the default port of 443 or specify the alternative port number that the certificate registration point
is using, and then click Next .
7. On the Client Cer tificate for the Policy Module page, browse to and specify the client authentication
certificate that you deployed in Step 1: Install and configure the Network Device Enrollment
Ser vice and dependencies , and then click Next .
8. On the Cer tificate Registration Point Cer tificate page, click Browse to select the exported certificate
file for the root CA that you located and saved at the end of Step 2: Install and configure the
cer tificate registration point .
 NOTE
If you did not previously save this certificate file, it is located in the <ConfigMgr Installation
Path>\inboxes\certmgr.box on the site server computer.

9. Click Next and complete the wizard.

If you want to uninstall the Configuration Manager Policy Module, use Programs and Features in Control
Panel.
Now that you have completed the configuration steps, you are ready to deploy certificates to users and devices by
creating and deploying certificate profiles. For more information about how to create certificate profiles, see How
to create certificate profiles.
 Create Wi-Fi profiles
4/20/2020 • 4 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Use Wi-Fi profiles in Configuration Manager to deploy wireless network settings to users in your organization. By
deploying these settings, you make it easier for your users to connect to Wi-Fi.
For example, you have a Wi-Fi network that you want to enable all Windows laptops to connect to. Create a Wi-Fi
profile containing the settings necessary to connect to the wireless network. Then, deploy the profile to all users
that have Windows laptops in your hierarchy. Users of these devices see your network in the list of wireless
networks and can readily connect to this network.
You can configure Wi-Fi profiles for the following OS versions:
Windows 8.1 32-bit or 64-bit
Windows RT 8.1
Windows 10 or Windows 10 Mobile
You can also use Configuration Manager to deploy wireless network settings to mobile devices using on-premises
mobile device management (MDM). For more general information, see What is on-premises MDM.
When you create a Wi-Fi profile, you can include a wide range of security settings. These settings include
certificates for server validation and client authentication that have been pushed using Configuration Manager
certificate profiles. For more information about certificate profiles, see Certificate profiles.

Create a Wi-Fi profile

1. In the Configuration Manager console, go to the Assets and Compliance workspace, expand Compliance
Settings , expand Company Resource Access , and select the Wi-Fi Profiles node.
2. On the Home tab, in the Create group, choose Create Wi-Fi Profile .
3. On the General page of the Create Wi-Fi Profile Wizard, specify the following information:
Name : Enter a unique name to identify the profile in the console.
Description : Optionally add a description to provide further information for the Wi-Fi profile.
Impor t an existing Wi-Fi profile item from a file : Select this option to use the settings from
another Wi-Fi profile. When you select this option, the remaining pages of the wizard simplify to two
pages: Impor t Wi-Fi Profile and Suppor ted Platforms .

IMPORTANT
Make sure that the Wi-Fi profile you import contains valid XML for a Wi-Fi profile. When you import the file,
Configuration Manager doesn't validate the profile.

Noncompliance severity for repor ts : Choose one of the following severity levels that the device
reports if it evaluates the Wi-Fi profile to be noncompliant. For example, if the installation of the
profile fails, it's noncompliant.
None : Computers that fail this compliance rule don't report a failure severity for
 Configuration Manager reports.
Information
Warning
Critical
Critical with event : Computers that fail this compliance rule report a failure severity of
Critical for Configuration Manager reports. Devices also log the noncompliant state as a
Windows event in the application event log.
4. On the Wi-Fi Profile page of the wizard, specify the following information:
Network name : Provide the name that devices will display as the network name.

IMPORTANT
Configuration Manager doesn't support using the apostrophe ( ' ) or comma ( , ) characters in the network
name.

SSID : Specify the case-sensitive ID of the wireless network.

Connect automatically when this network is in range
Look for other wireless network while connected to this network
Connect when the network is not broadcasting its name (SSID)
5. On the Security Configuration page, specify the following information:

IMPORTANT
If you're creating a Wi-Fi profile for on-premises MDM, the current branch of Configuration Manager only supports
the following Wi-Fi security configurations:
Security types: WPA2 Enterprise or WPA2 Personal
Encryption types: AES or TKIP
EAP types: Smar t Card or other cer tificate or PEAP

Security type : Select the security protocol that the wireless network uses, or select No
authentication (Open) if the network is unsecured.
Encr yption : If the security type supports it, set the encryption method for the wireless network.
EAP type : Select the authentication protocol for the selected encryption method.

NOTE
For Windows Phone devices only: the EAP types LEAP and EAP-FAST aren't supported.

Select Configure to specify properties for the selected EAP type. This option isn't available for some
selected EAP types.
 IMPORTANT
The EAP type configuration window is from Windows. Make sure that you run the Configuration Manager
console on a computer that supports the selected EAP type.

Remember the user credentials at each logon : Select this option to store user credentials so
users don't have to enter wireless network credentials each time they sign in to Windows.
6. On the Advanced Settings page of the wizard, specify additional settings for the Wi-Fi profile. Advanced
settings might not be available, or might vary, depending on the options that you select on the Security
Configuration page of the wizard. For example, authentication mode, or single sign-on options.
7. On the Proxy Settings page, if your wireless network uses a proxy server, select the option to Configure
proxy settings for this Wi-Fi profile . Then provide the configuration information for the proxy.
8. On the Suppor ted Platforms page, select the OS versions where this Wi-Fi profile is applicable.
9. Complete the wizard.

Next step
How to deploy Wi-Fi profiles
 VPN profiles in Configuration Manager
4/20/2020 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

To deploy VPN settings to users in your organization, use VPN profiles in Configuration Manager. By deploying
these settings, you minimize the end-user effort required to connect to resources on the company network.
For example, you want to configure all Windows 10 devices with the settings required to connect to a file share on
the internal network. Create a VPN profile with the settings necessary to connect to the internal network. Then
deploy this profile to all users that have devices running Windows 10. These users see the VPN connection in the
list of available networks and can connect with little effort.
When you create a VPN profile, you can include a wide range of security settings. These settings include certificates
for server validation and client authentication that you provision with Configuration Manager certificate profiles.
For more information, see Certificate profiles.

NOTE
Configuration Manager doesn't enable this optional feature by default. You must enable this feature before using it. For more
information, see Enable optional features from updates.

Supported platforms
The following table describes the VPN profiles you can configure for various device platforms.

C O N N EC T IO N T Y P E W IN DO W S 8. 1 W IN DO W S RT W IN DO W S RT 8. 1 W IN DO W S 10

Pulse Secure Yes No Yes Yes

F5 Edge Client Yes No Yes Yes

Dell SonicWALL Yes No Yes Yes

Mobile Connect

Check Point Yes No Yes Yes

Mobile VPN

Microsoft SSL Yes Yes Yes No

(SSTP)

Microsoft Yes Yes Yes No

Automatic

IKEv2 Yes Yes Yes No

PPTP Yes Yes Yes No

L2TP Yes Yes Yes No

Next step
How to create VPN profiles

See also
Prerequisites for VPN profiles
Security and privacy for VPN profiles
 How to create VPN profiles in Configuration
Manager
4/20/2020 • 4 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Configuration Manager supports multiple VPN connection types. For more information on the connection types
available for the different device platforms, see VPN profiles.
For third-party VPN connections, distribute the VPN app before you deploy the VPN profile. If you don't deploy the
app, users will be prompted to do so when they try to connect to the VPN. For more information, see Deploy
applications.

Create a VPN profile

1. In the Configuration Manager console, go to the Assets and Compliance workspace, expand Compliance
Settings , expand Company Resource Access , and select the VPN Profiles node.
2. On the Home tab of the ribbon, in the Create group, choose Create VPN Profile .
3. On the General page of the Create VPN Profile Wizard, specify the following information:
Name : Enter a unique name to identify the VPN profile in the console.

NOTE
Don't use the following characters in the VPN profile name: \/:*?<>|; . The Windows VPN profile doesn't
support these special characters.

Description : Optionally enter a description to provide further information about the VPN profile.
VPN profile type : Select the appropriate platform.
If you select the Windows 8.1 platform, you can also Impor t from file . This action imports VPN
profile information from an XML file. If you select this option, the rest of the wizard simplifies to the
following pages: Suppor ted Platforms and Impor t VPN Profile .
4. On the Suppor ted Platforms page, select the OS versions that this VPN profile supports.
5. On the Connection page, specify the following information:
Connection type : Choose the VPN connection type. For more information on the supported types,
see VPN profiles.
Ser ver list : Add a new server to use for the VPN connection. Depending on the connection type, you
can add one or more VPN servers and specify which server is the default.
Bypass VPN when connected to company network : Configure clients to not use the VPN when
they're on your internal network. If necessary, specify a connection-specific DNS name.
6. On the Authentication Method page of the wizard, choose a method that's supported by the connection
type. The settings and available options on this page vary depending on the selected connection type. For
more information, see Authentication method reference.
 7. On the Proxy Settings page, if your VPN uses a proxy server, select one of the options as appropriate for
your environment. Then provide the configuration information for the proxy.
8. The Applications page only applies to Windows 10 profiles. Add desktop and universal apps that
automatically connect to this VPN. The type of app determines the app identifier:
For a desktop app, provide the file path of the app.
For a universal app, provide the package family name (PFN). To learn how to find the PFN for an app,
see Find a package family name for per-app VPN.
You can also configure an option so that Only the listed apps can use this VPN .

IMPORTANT
Secure all lists of associated apps that you compile for configuring a per-app VPN. If an unauthorized user changes
your list, and you import it to the per-app VPN app list, you potentially authorize VPN access to apps that shouldn't
have access.

9. The Boundaries page only applies to Windows 10 profiles to configure VPN boundaries. You can add the
following options:
Network traffic rules : Set the protocols, local port, remote port, and address ranges to enable for
the VPN connection.

NOTE
If you don't create a network traffic rule, all protocols, ports, and address ranges are enabled. After you create
a rule, only the protocols, ports, and address ranges that you specify in that rule or in additional rules are
used by the VPN connection.

DNS names and ser vers : DNS servers that are used by the VPN connection after the device
establishes the connection.
Routes : Network routes that use the VPN connection. Creation of more than 60 routes may cause
the policy to fail.
10. Complete the wizard.
The new VPN profile is displayed in the VPN Profiles node in the Assets and Compliance workspace.

Authentication method reference

Available VPN authentication methods depend on the connection type:
Certificates
If the client certificate authenticates to a RADIUS server, like a Network Policy Server, set the Subject Alternative
Name in the certificate to the User Principal Name.
Supported connection types:
Pulse Secure
F5 Edge Client
Dell SonicWALL Mobile Connect
Check Point Mobile VPN
Username and Password
Supported connection types:
Pulse Secure
F5 Edge Client
Dell SonicWALL Mobile Connect
Check Point Mobile VPN
Microsoft EAP-TTLS
Supported connection types:
Microsoft SSL (SSTP)
Microsoft Automatic
PPTP
IKEv2
L2TP
Microsoft protected EAP (PEAP
Supported connection types:
Microsoft SSL (SSTP)
Microsoft Automatic
IKEv2
PPTP
L2TP
Microsoft secured password (EAP-MSCHAP v2)
Supported connection types:
Microsoft SSL (SSTP)
Microsoft Automatic
IKEv2
PPTP
L2TP
Smart Card or other certificate
Supported connection types:
Microsoft SSL (SSTP)
Microsoft Automatic
IKEv2
PPTP
L2TP
MSCHAP v2
Supported connection types:
Microsoft SSL (SSTP)
Microsoft Automatic
IKEv2
PPTP
L2TP
Use machine certificates
Supported connection types:
IKEv2
Additional authentication options
When the Windows client version supports it, the option to Configure the authentication method is available. This
option opens the Windows properties window to configure the authentication method.
Depending on the selected options, you might be asked to specify more information, for example:
Remember the user credentials at each logon : User credentials are remembered so that users don't
have to enter them each time they connect.
Select a client cer tificate for client authentication : Select a previously created client SCEP certificate
profile to authenticate the VPN connection. For more information, see Create PFX certificate profiles.

Next steps
For third-party VPN connections, distribute the VPN app before you deploy the VPN profile. If you don't
deploy the app, users will be prompted to do so when they try to connect to the VPN. For more information,
see Deploy applications.
Deploy the VPN profile. For more information, see How to deploy profiles.
 Find a package family name (PFN) for per-app VPN
5/8/2020 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

There are two ways to find a PFN so that you can configure a per-app VPN.

Find a PFN for an app that's installed on a Windows 10 computer

If the app you are working with is already installed on a Windows 10 computer, you can use the Get-AppxPackage
PowerShell cmdlet to get the PFN.
The syntax for Get-AppxPackage is:

Get-AppxPackage [[-Name] <String> ] [[-Publisher] <String> ] [-AllUsers] [-User <String> ] [

<CommonParameters>]

NOTE
You may have to run PowerShell as an admin in order to retrieve the PFN

For example, to get info on all the universal apps installed on the computer use Get-AppxPackage .
To get info on an app you know the name of, or part of the name of, use Get-AppxPackage *<app_name> . Note the use
of the wildcard character, particularly helpful if you're not sure of the full name of the app. For example to get the
info for OneNote, use Get-AppxPackage *OneNote .
Here is the information retrieved for OneNote:
Name : Microsoft.Office.OneNote

Publisher : CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

Architecture : X64

ResourceId :

Version : 17.6769.57631.0

PackageFullName : Microsoft.Office.OneNote_17.6769.57631.0_x64__8wekyb3d8bbwe

InstallLocation : C:\Program Files\WindowsApps

\Microsoft.Office.OneNote_17.6769.57631.0_x64__8wekyb3d8bbwe

IsFramework : False

PackageFamilyName : Microsoft.Office.OneNote_8wekyb3d8bbwe

PublisherId : 8wekyb3d8bbwe

Find a PFN if the app is not installed on a computer

1. Go to https://www.microsoft.com/store/apps
2. Enter the name of the app in the search bar. In our example, search for OneNote.
3. Click the link to the app. Note that the URL that you access has a series of letters at the end. In our example, the
URL looks like this: https://www.microsoft.com/store/apps/onenote/9wzdncrfhvjl
4. In a different tab, paste the following URL,
https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/<app id>/applockerdata , replacing <app id>
with the app id you obtained from https://www.microsoft.com/store/apps - that series of letters at the end of
the URL in step 3. In our example, example of OneNote, you'd paste:
https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/9wzdncrfhvjl/applockerdata .

In Edge, the information you want is displayed; in Internet Explorer, click Open to see the information. The PFN
value is given on the first line. Here's how the results look for our example:

{
"packageFamilyName": "Microsoft.Office.OneNote_8wekyb3d8bbwe",
"packageIdentityName": "Microsoft.Office.OneNote",
"windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d",
"publisherCertificateName": "CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington,
C=US"
}
 Deploy resource access profiles in Configuration
Manager
4/20/2020 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

After you create one of the following resource access profiles, deploy it to one or more collections:
Wi-Fi
VPN
Certificate
When you deploy these profiles, you specify the target collection, and specify how often the client evaluates the
profile for compliance.

Deploy a profile
1. In the Configuration Manager console, go to the Assets and Compliance workspace. Expand
Compliance Settings , expand Company Resource Access , and then choose the appropriate profile
node. For example, Wi-Fi Profiles .
2. In the list of profiles, select the profile that you want to deploy. Then in the Home tab of the ribbon, in the
Deployment group, select Deploy .
3. In the deploy profile window, specify the following information:
Collection : Select the collection where you want to deploy the profile.
Generate an aler t : Enable this option to configure an alert. The site generates this alert if the
profile compliance is less than the specified percentage by the specified date and time. You can also
select whether you want an alert to be sent to System Center Operations Manager.
Random delay (hours) : For certificate profiles that contain Simple Certificate Enrollment Protocol
(SCEP) settings, specify a delay window to avoid excessive processing on the Network Device
Enrollment Service (NDES). The default value is 64 hours.
Specify the compliance evaluation schedule for this...profile : Specify how often the client
evaluates compliance for this profile. Select a Simple schedule or configure a Custom schedule .
By default, the simple schedule is every 12 hours.
4. Select OK to close the window and create the deployment.

Delete a deployment
If you want to delete a deployment, select it from the list. In the details pane, switch to the Deployments tab.
Select the deployment, and then in the Deployment tab of the ribbon, select Delete .

IMPORTANT
When you remove a VPN profile deployment, Configuration Manager doesn't remove the VPN profile from Windows. If you
want to remove the profile from devices, manually remove it.
Next steps
Monitor Wi-Fi and VPN profiles
Monitor certificate profiles
 What happened to hybrid MDM?
4/20/2020 • 3 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

WARNING
Microsoft retired the hybrid MDM service offering as of September 1, 2019. Any remaining hybrid MDM devices won't
receive policy, apps, or security updates.

Remove hybrid MDM

If your Configuration Manager site had a Microsoft Intune Subscription, you need to remove it.
1. In the Configuration Manager console, go to the Administration workspace. Expand Cloud Ser vices , and
select the Microsoft Intune Subscription node. Delete your existing Intune Subscription.
2. In the Remove Microsoft Intune Subscription Wizard , select the option to Remove Microsoft Intune
Subscription from Configuration Manager , and then click Next .
3. Complete the wizard.

Deprecation announcement
The following note is the original deprecation announcement:
 NOTE
As of August 14, 2018, hybrid mobile device management is a deprecated feature. Starting with the 1902 Intune service
release, expected at the end of February 2019, new customers can't create a new hybrid connection.
Since launching on Azure over a year ago, Intune has added hundreds of new customer-requested and market-leading
service capabilities. It now offers far more capabilities than those offered through hybrid mobile device management (MDM).
Intune on Azure provides a more integrated, streamlined administrative experience for your enterprise mobility needs.
As a result, most customers choose Intune on Azure over hybrid MDM. The number of customers using hybrid MDM
continues to decrease as more customers move to the cloud. Therefore, on September 1, 2019, Microsoft will retire the
hybrid MDM service offering.
This change doesn't affect on-premises Configuration Manager or co-management for Windows 10 devices. If you're unsure
whether you're using hybrid MDM, go to the Administration workspace of the Configuration Manager console, expand
Cloud Ser vices , and select Microsoft Intune Subscriptions . If you have a Microsoft Intune subscription set up, your
tenant is configured for hybrid MDM.
How does this affect me?
Microsoft will support your hybrid MDM usage for the next year. The feature will continue to receive major bug fixes.
Microsoft will support existing functionality on new OS versions, such as enrollment on iOS 12. There will be no new
features for hybrid MDM.
If you migrate to Intune on Azure before the end of the hybrid MDM offering, there should be no end user impact.
On September 1, 2019, any remaining hybrid MDM devices will no longer receive policy, apps, or security updates.
Licensing remains the same. Intune on Azure licenses are included with hybrid MDM.
The on-premises MDM feature in Configuration Manager isn't deprecated. Starting in Configuration Manager version
1810, you can use on-premises MDM without an Intune connection. For more information, see An Intune connection
is no longer required for new on-premises MDM deployments.
The on-premises conditional access feature of Configuration Manager is also deprecated with hybrid MDM. If you use
conditional access on devices managed with the Configuration Manager client, make sure they are protected before
you migrate.
1. Set up conditional access policies in Azure
2. Set up compliance policies in Intune portal
3. Finish hybrid migration, and set the MDM authority to Intune
4. Enable co-management
5. Move the compliance policies co-management workload to Intune
For more information, see Conditional access with co-management.
What do I need to do to prepare for this change?
Start planning your migration for MDM from the ConfigMgr console to Azure. Many customers, including Microsoft
IT, have gone through this process. For more information, see this Microsoft case study.
Contact your partner of record or FastTrack for assistance. FastTrack for Microsoft 365 can assist in your migration
from hybrid MDM to Intune on Azure.
For more information, see the Intune support blog post.

Next steps
For more information on supported features for managing MDM devices, see the following articles:
What is Microsoft Intune?
What is on-premises MDM?
Device management with Exchange
 Monitor Email, Wi-Fi and VPN profiles in
Configuration Manager
4/20/2020 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

After you have deployed Configuration Manager Email, Wi-Fi or VPN profiles to users in your hierarchy, you can
use the following procedures to monitor the compliance status of the profile:
How to View Compliance Results in the Configuration Manager Console
How to View Compliance Results by Using Reports

How to View Compliance Results in the Configuration Manager Console

Use this procedure to view details about the compliance of deployed profiles in the Configuration Manager
console.
To view compliance results in the Configuration Manager console
1. In the Configuration Manager console, click Monitoring .
2. In the Monitoring workspace, click Deployments .
3. In the Deployments list, select the profile deployment for which you want to review compliance
information.
4. You can review summary information about the compliance of the profile deployment on the main page. To
view more detailed information, select the profile deployment, and then, on the Home tab, in the
Deployment group, click View Status to open the Deployment Status page.
The Deployment Status page contains the following tabs:
Compliant: Displays the compliance of the profile that is based on the number of affected assets.
You can double-click a rule to create a temporary node under the Users node in the Assets and
Compliance workspace, which contains all users that are compliant with this profile. The Asset
Details pane displays the users that are compliant with the profile. Double-click a user in the list to
display additional information.

IMPORTANT
A profile is not evaluated if it is not applicable on a client device; however, it is returned as compliant.

Error : Displays a list of all errors for the selected profile deployment that is based on the number of
affected assets. You can double-click a rule to create a temporary node under the Users node of the
Assets and Compliance workspace, which contains all users that generated errors with this profile.
When you select a user, the Asset Details pane displays the users that are affected by the selected
issue. Double-click a user in the list to display additional information about the issue.
Non-Compliant: Displays a list of all noncompliant rules within the profile that is based on the
number of affected assets. You can double-click a rule to create a temporary node under the Users
node of the Assets and Compliance workspace, which contains all users that are not compliant
with this profile. When you select a user, the Asset Details pane displays the users that are affected
 by the selected issue. Double-click a user in the list to display further information about the issue.
Unknown: Displays a list of all users that did not report compliance for the selected profile
deployment together with the current client status of the devices.
5. On the Deployment Status page, you can review detailed information about the compliance of the
deployed profile. A temporary node is created under the Deployments node that helps you find this
information again quickly.

How to View Compliance Results by Using Reports

Compliance settings, which include profiles in Configuration Manager, also includes a number of built-in reports
that let you monitor information about profiles. These reports have the report category of Compliance and
Settings Management .

IMPORTANT
You must use a wildcard (%) character when you use the parameters Device filter and User filter in the compliance
settings reports.

For more information about how to configure reporting in Configuration Manager, see Introduction to reporting.
 How to monitor certificate profiles in Configuration
Manager
4/20/2020 • 3 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

View Compliance Results in the Configuration Manager Console

To monitor SCEP certificate compliance do not use the console, rather, use reports.
1. In the Configuration Manager console, choose Monitoring > Deployments .
2. Select the certificate profile deployment of interest.
3. Review summary certificate compliance information on the main page. For more detailed information,
select the certificate profile, and then on the Home tab, in the Deployment group, choose View Status to
open the Deployment Status page.
The Deployment Status page contains the following tabs:
Compliant : Displays the compliance of the certificate profile based on the number of assets that are
affected. You can double-click a rule to create a temporary node under the Users node in the Assets
and Compliance workspace. This node contains all users that are compliant with the certificate
profile. The Asset Details pane also displays the users that are compliant with this profile. Double-
click a user in the list for more information.

IMPORTANT
A certificate profile is not evaluated if it is not applicable on a client device. However, it is returned as
compliant.

Error : Displays a list of all errors for the selected certificate profile deployment based on the number
of assets that are affected. You can double-click a rule to create a temporary node under the Users
node of the Assets and Compliance workspace. This node contains all users that generated errors
with this profile. When you select a user, the Asset Details pane displays the users that are affected
by the selected issue. Double-click a user in the list to display for more information.
Non-Compliant : Displays a list of all noncompliant rules within the certificate profile based on the
number of assets that are affected. You can double-click a rule to create a temporary node under the
Users node of the Assets and Compliance workspace. This node contains all users that are not
compliant with this profile. When you select a user, the Asset Details pane displays the users that
are affected by the selected issue. Double-click a user in the list to display further information about
the issue.
Unknown : Displays a list of all users that did not report compliance for the selected certificate
profile deployment together with the current client status of the devices.
4. On the Deployment Status page, review detailed information about the compliance of the deployed
certificate profile. A temporary node is created under the Deployments node that helps you find this
information again quickly.
The enrollment status of the certificate is displayed as a number. Use the following table to understand what
 each number means:

EN RO L L M EN T STAT US DESC RIP T IO N

0x00000001 The enrollment succeeded, and the certificate has been

issued.

0x00000002 The request has been submitted and the enrollment is

pending, or the request has been issued out of band.

0x00000004 Enrollment must be deferred.

0x00000010 An error occurred.

0x00000020 The enrollment status is unknown.

0x00000040 The status information has been skipped. This can occur if
a HYPERLINK
"https://msdn.microsoft.com/windows/ms721572" \l
"_security_certification_authority_gly" certification
authority is not valid or has not been selected for
monitoring.

0x00000100 Enrollment has been denied.

View Compliance Results by Using Reports

Compliance settings in Configuration Manager include built-in reports that you can use to monitor information
about certificate profiles. These reports have the report category of Compliance and Settings Management .

IMPORTANT
You must use a wildcard (%) character when you use the parameters Device filter and User filter in the reports for
compliance settings.

To monitor SCEP certificate compliance use these certificate reports under the report node Company Resource
Access :
Certificate issuance history
List of assets with certificates nearing expiry
List of assets by certificate issuance status
For more information about how to configure reporting in Configuration Manager, see Introduction to reporting.
 How to monitor Endpoint Protection status
4/20/2020 • 3 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

You can monitor Endpoint Protection in your Microsoft Configuration Manager hierarchy by using the Endpoint
Protection Status node under Security in the Monitoring workspace, the Endpoint Protection node in the
Assets and Compliance workspace, and by using reports.

How to Monitor Endpoint Protection by Using the Endpoint Protection

Status Node
1. In the Configuration Manager console, click Monitoring .
2. In the Monitoring workspace, expand Security and then click Endpoint Protection Status .
3. In the Collection list, select the collection for which you want to view status information.

IMPORTANT
Collections are available for selection in the following cases:
When you select View this collection in the Endpoint Protection dashboard on the Aler ts tab of the
<collection name>Proper ties dialog box.
When you deploy an Endpoint Protection antimalware policy to the collection.
When you enable and deploy Endpoint Protection client settings to the collection.

4. Review the information that is displayed in the Security State and Operational State sections. You can
click any status link to create a temporary collection in the Devices node in the Assets and Compliance
workspace. The temporary collection contains the computers with the selected status.

IMPORTANT
Information that is displayed in the Endpoint Protection Status node is based on the last data that was
summarized from the Configuration Manager database and might not be current. If you want to retrieve the latest
data, on the Home tab, click Run Summarization , or click Schedule Summarization to adjust the
summarization interval.

How to Monitor Endpoint Protection in the Assets and Compliance

Workspace
1. In the Configuration Manager console, click Assets and Compliance .
2. In the Assets and Compliance workspace, perform one of the following actions:
Click Devices . In the Devices list, select a computer, and then click the Malware Detail tab.
Click Device Collections . In the Device Collections list, select the collection that contains the
computer you want to monitor and then, on the Home tab, in the Collection group, click Show
Members .
3. In the <collection name> list, select a computer, and then click the Malware Detail tab.

How to Monitor Endpoint Protection by Using Reports

Use the following reports to help you view information about Endpoint Protection in your hierarchy. You can also
use these reports to help troubleshoot any Endpoint Protection problems. For more information about how to
configure reporting in Configuration Manager, see Introduction to reporting and Log files. The Endpoint Protection
reports are in the Endpoint Protection folder.

REP O RT N A M E DESC RIP T IO N

Antimalware Activity Repor t Displays an overview of antimalware activity for a specified

collection.

Infected Computers Displays a list of computers on which a specified threat is

detected.

Top Users By Threats Displays a list of users with the most number of detected
threats.

User Threat List Displays a list of threats that were found for a specified user
account.

Malware Alert Levels

Use the following table to identify the different Endpoint Protection alert levels that might be displayed in reports,
or in the Configuration Manager console.

A L ERT L EVEL DESC RIP T IO N

Failed Endpoint Protection failed to remediate the malware. Check

your logs for details of the error.

Note: For a list of Configuration Manager and Endpoint

Protection log files, see the "Endpoint Protection" section in
the Log files topic.

Removed Endpoint Protection successfully removed the malware.

Quarantined Endpoint Protection moved the malware to a secure location

and prevented it from running until you remove it or allow it
to run.

Cleaned The malware was cleaned from the infected file.

Allowed An administrative user selected to allow the software that

contains the malware to run.

No Action Endpoint Protection took no action on the malware. This

might occur if the computer is restarted after malware is
detected and the malware is no longer detected; for instance,
if a mapped network drive on which malware is detected is
not reconnected when the computer restarts.
A L ERT L EVEL DESC RIP T IO N

Blocked Endpoint Protection blocked the malware from running. This

might occur if a process on the computer is found to contain
malware.
 BitLocker settings reference
4/20/2020 • 15 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

BitLocker management policies in Configuration Manager contain the following policy groups:
Setup
Operating system drive
Fixed drive
Removable drive
Client management
The following sections describe and suggest configurations for the settings in each group.

NOTE
These settings are based on Configuration Manager version 2002. Version 1910 doesn't include all of these settings.

Setup
The settings on this page configure global BitLocker encryption options.
Drive encryption method and cipher strength
Suggested configuration: Enabled with the default or greater encryption method.

NOTE
The Setup properties page includes two groups of settings for different versions of Windows. This section describes them
both.

Windows 8.1 devices

For Windows 8.1 devices, enable the option for Drive encr yption method and cipher strength , and select one
of the following the encryption methods:
AES 128-bit with Diffuser
AES 256-bit with Diffuser
AES 128-bit (default)
AES 256-bit
Windows 10 devices
For Windows 10 devices, enable the option for Drive encr yption method and cipher strength (Windows
10) . Then individually select one of the following encryption methods for OS drives, fixed data drives, and
removable data drives:
AES-CBC 128-bit
AES-CBC 256-bit
XTS-AES 128-bit (default)
XTS-AES 256-bit
 TIP
BitLocker uses Advanced Encryption Standard (AES) as its encryption algorithm with configurable key lengths of 128 or 256
bits. On Windows 10 devices, the AES encryption supports cipher block chaining (CBC) or ciphertext stealing (XTS).
If you need to use a removable drive on devices that don't run Windows 10, use AES-CBC.

General usage notes for drive encryption and cipher strength

If you disable or don't configure these settings, BitLocker uses the default encryption method.
Configuration Manager applies these settings when you turn on BitLocker.
If the drive is already encrypted or is in progress, any change to these policy settings doesn't change the
drive encryption on the device.
If you use the default value, the BitLocker Computer Compliance report may display the cipher strength as
unknown . To work around this issue, enable this setting and set an explicit value for cipher strength.
Prevent memory overwrite on restart
Suggested configuration: Not configured
Configure this policy to improve restart performance without overwriting BitLocker secrets in memory on restart.
When you don't configure this policy, BitLocker removes its secrets from memory when the computer restarts.
Validate smart card certificate usage rule compliance
Suggested configuration: Not configured
Configure this policy to use smartcard certificate-based BitLocker protection. Then specify the certificate Object
identifier .
When you don't configure this policy, BitLocker uses the default object identifier 1.3.6.1.4.1.311.67.1.1 to specify
a certificate.
Organization unique identifiers
Suggested configuration: Not configured
Configure this policy to use a certificate-based data recovery agent or the BitLocker To Go reader.
When you don't configure this policy, BitLocker doesn't use the Identification field.
If your organization requires higher security measurements, configure the Identification field. Set this field on all
targeted USB devices, and align it with this setting.

OS drive
The settings on this page configure the encryption settings for the drive on which Windows is installed.
Operating system drive encryption settings
Suggested configuration: Enabled
If you enable this setting, the user has to protect the OS drive, and BitLocker encrypts the drive. If you disable it, the
user can't protect the drive. If you don't configure this policy, BitLocker protection isn't required on the OS drive.

NOTE
If the drive is already encrypted, and you disable this setting, BitLocker decrypts the drive.
If you have devices without a Trusted Platform Module (TPM), use the option to Allow BitLocker without a
compatible TPM (requires a password) . This setting allows BitLocker to encrypt the OS drive, even if the device
doesn't have a TPM. If you allow this option, Windows prompts the user to specify a BitLocker password.
On devices with a compatible TPM, two types of authentication methods can be used at startup to provide added
protection for encrypted data. When the computer starts, it can use only the TPM for authentication, or it can also
require the entry of a personal identification number (PIN). Configure the following settings:
Select protector for operating system drive : Configure it to use a TPM and PIN, or just the TPM.
Configure minimum PIN length for star tup : If you require a PIN, this value is the shortest length the
user can specify. The user enters this PIN when the computer boots to unlock the drive. By default, the
minimum PIN length is 4 .

TIP
For higher security, when you enable devices with TPM + PIN protector, consider disabling the following group policy settings
in System > Power Management > Sleep Settings :
Allow Standby States (S1-S3) When Sleeping (Plugged In)
Allow Standby States (S1-S3) When Sleeping (On Battery)

Allow enhanced PINs for startup

Suggested configuration: Not configured
Configure BitLocker to use enhanced startup PINs. These PINs permit the use of additional characters such as
uppercase and lowercase letters, symbols, numbers, and spaces. This setting applies when you turn on BitLocker.

IMPORTANT
Not all computers can support enhanced PINs in the pre-boot environment. Before you enable its use, evaluate whether your
devices are compatible with this feature.

If you enable this setting, all new BitLocker startup PINs allow the user to create enhanced PINs.
Require ASCII-only PINs : Help make enhanced PINs more compatible with computers that limit the type or
number of characters that you can enter in the pre-boot environment.
If you disable or don't configure this policy setting, BitLocker doesn't use enhanced PINs.
Operating system drive password policy
Suggested configuration: Not configured
Use these settings to set the constraints for passwords to unlock BitLocker-protected OS drives. If you allow non-
TPM protectors on OS drives, configure the following settings:
Configure password complexity for operating system drives : To enforce complexity requirements on
the password, select Require password complexity .
Minimum password length for operating system drive : By default, the minimum length is 8 .
Require ASCII-only passwords for removable OS drives
If you enable this policy setting, users can configure a password that meets the requirements that you define.
General usage notes for OS drive password policy
For these complexity requirement settings to be effective, also enable the group policy setting Password
 must meet complexity requirements in Computer Configuration > Windows Settings > Security
Settings > Account Policies > Password Policy .
BitLocker enforces these settings when you turn it on, not when you unlock a volume. BitLocker lets you
unlock a drive with any of the protectors that are available on the drive.
If you use group policy to enable FIPS-compliant algorithms for encryption, hashing, and signing, you can't
allow passwords as a BitLocker protector.
Reset platform validation data after BitLocker recovery
Suggested configuration: Not configured
Control whether Windows refreshes platform validation data when it starts after BitLocker recovery.
If you enable or don't configure this setting, Windows refreshes platform validation data in this situation.
If you disable this policy setting, Windows doesn't refresh platform validation data in this situation.
Pre -boot recovery message and URL
Suggested configuration: Not configured
When BitLocker locks the OS drive, use this setting to display a custom recovery message or a URL on the pre-boot
BitLocker recovery screen. This setting only applies to Windows 10 devices.
When you enable this setting, select one of the following options for the pre-boot recovery message:
Use default recover y message and URL : Display the default BitLocker recovery message and URL in the
pre-boot BitLocker recovery screen. If you previously configured a custom recovery message or URL, use
this option to revert to the default message.
Use custom recover y message : Include a custom message in the pre-boot BitLocker recovery screen.
Custom recover y message option : Type the custom message to display. If you also want to specify a
recovery URL, include it as part of this custom recovery message. The maximum string length is 32,768
characters.
Use custom recover y URL : Replace the default URL displayed in the pre-boot BitLocker recovery screen.
Custom recover y URL option : Type the URL to display. The maximum string length is 32,768
characters.

NOTE
Not all characters and languages are supported in pre-boot. First test your custom message or URL to make sure it appears
correctly on the pre-boot BitLocker recovery screen.

Encryption policy enforcement settings (OS drive )

Suggested configuration: Enabled
Configure the number of days that users can postpone BitLocker compliance for the OS drive. The
Noncompliance grace period begins when Configuration Manager first detects it as noncompliant. After this
grace period expires, users can't postpone the required action or request an exemption.
If the encryption process requires user input, a dialog box appears in Windows that the user can't close until they
provide the required information. Future notifications for errors or status won't have this restriction.
If BitLocker doesn't require user interaction to add a protector, after the grace period expires, BitLocker starts
encryption in the background.
If you disable or don't configure this setting, Configuration Manager doesn't require users to comply with BitLocker
policies.
To enforce the policy immediately, set a grace period of 0 .

Fixed drive
The settings on this page configure encryption for additional data drives in a device.
Fixed data drive encryption
Suggested configuration: Enabled
Manage your requirement for encryption of fixed data drives. If you enable this setting, BitLocker requires users to
put all fixed data drives under protection. It then encrypts the data drives.
When you enable this policy, either enable auto-unlock or the settings for Fixed data drive password policy .
Configure auto-unlock for fixed data drive : Allow or require BitLocker to automatically unlock any
encrypted data drive. To use auto-unlock, also require BitLocker to encrypt the OS drive.
If you don't configure this setting, BitLocker doesn't require users to put fixed data drives under protection.
If you disable this setting, users can't put their fixed data drives under BitLocker protection. If you disable this policy
after BitLocker encrypts fixed data drives, BitLocker decrypts the fixed data drives.
Deny write access to fixed drives not protected by BitLocker
Suggested configuration: Not configured
Require BitLocker protection for Windows to write data to fixed drives on the device. BitLocker applies this policy
when you turn it on.
When you enable this setting:
If BitLocker protects a fixed data drive, Windows mounts it with read and write access.
For any fixed data drive that BitLocker doesn't protect, Windows mounts it as read-only.
When you don't configure this setting, Windows mounts all fixed data drives with read and write access.
Fixed data drive password policy
Suggested configuration: Not configured
Use these settings to set the constraints for passwords to unlock BitLocker-protected fixed data drives.
If you enable this setting, users can configure a password that meets your defined requirements.
For higher security, enable this setting, and then configure the following settings:
Require password for fixed data drive : Users have to specify a password to unlock a BitLocker-protected
fixed data drive.
Configure password complexity for fixed data drives : To enforce complexity requirements on the
password, select Require password complexity .
Minimum password length for fixed data drive : By default, the minimum length is 8 .

If you disable this setting, users can't configure a password.

When the policy isn't configured, BitLocker supports passwords with the default settings. The default settings don't
include password complexity requirements, and require only eight characters.
General usage notes for fixed data drive password policy
 For these complexity requirement settings to be effective, also enable the group policy setting Password
must meet complexity requirements in Computer Configuration > Windows Settings > Security
Settings > Account Policies > Password Policy .
BitLocker enforces these settings when you turn it on, not when you unlock a volume. BitLocker lets you
unlock a drive with any of the protectors that are available on the drive.
If you use group policy to enable FIPS-compliant algorithms for encryption, hashing, and signing, you can't
allow passwords as a BitLocker protector.
Encryption policy enforcement settings (fixed data drive )
Suggested configuration: Enabled
Configure the number of days that users can postpone BitLocker compliance for fixed data drives. The
Noncompliance grace period begins when Configuration Manager first detects the fixed data drive as
noncompliant. It doesn't enforce the fixed data drive policy until the OS drive is compliant. After the grace period
expires, users can't postpone the required action or request an exemption.
If the encryption process requires user input, a dialog box appears in Windows that the user can't close until they
provide the required information. Future notifications for errors or status won't have this restriction.
If BitLocker doesn't require user interaction to add a protector, after the grace period expires, BitLocker starts
encryption in the background.
If you disable or don't configure this setting, Configuration Manager doesn't require users to comply with BitLocker
policies.
To enforce the policy immediately, set a grace period of 0 .

Removable drive
The settings on this page configure encryption for removable drives, such as USB keys.
Removable data drive encryption
Suggested configuration: Enabled
This setting controls the use of BitLocker on removable drives.
Allow users to apply BitLocker protection on removable data drives : Users can turn on BitLocker
protection for a removable drive.
Allow users to suspend and decr ypt BitLocker on removable data drives : Users can remove or
temporarily suspend BitLocker drive encryption from a removable drive.
When you enable this setting, and allow users to apply BitLocker protection, the Configuration Manager client saves
recovery information about removable drives to the recovery service on the management point. This behavior
allows users to recover the drive if they forget or lose the protector (password).
When you enable this setting:
Enable the settings for Removable data drive password policy
Disable the following group policy settings in System > Removable Storage Access for both user &
computer configurations:
All removable storage classes: Deny all access
Removable disks: Deny write access
Removable disks: Deny read access
If you disable this setting, users can't use BitLocker on removable drives.
Deny write access to removable drives not protected by BitLocker
Suggested configuration: Not configured
Require BitLocker protection for Windows to write data to removable drives on the device. BitLocker applies this
policy when you turn it on.
When you enable this setting:
If BitLocker protects a removable drive, Windows mounts it with read and write access.
For any removable drive that BitLocker doesn't protect, Windows mounts it as read-only.
If you enable the option to Deny write access to devices configured in another organization ,
BitLocker only gives write access to removable drives with identification fields that match the allowed
identification fields. Define these fields with the Organization unique identifiers global settings on the
Setup page.
When you disable or don't configure this setting, Windows mounts all removable drives with read and write access.

NOTE
You can override this setting with the group policy settings in System > Removable Storage Access . If you enable the
group policy setting Removable disks: Deny write access , then BitLocker ignores this Configuration Manager setting.

Removable data drive password policy

Suggested configuration: Enabled
Use these settings to set the constraints for passwords to unlock BitLocker-protected removable drives.
If you enable this setting, users can configure a password that meets your defined requirements.
For higher security, enable this setting, and then configure the following settings:
Require password for removable data drive : Users have to specify a password to unlock a BitLocker-
protected removable drive.
Configure password complexity for removable data drives : To enforce complexity requirements on
the password, select Require password complexity .
Minimum password length for removable data drive : By default, the minimum length is 8 .

If you disable this setting, users can't configure a password.

When the policy isn't configured, BitLocker supports passwords with the default settings. The default settings don't
include password complexity requirements, and require only eight characters.
General usage notes for removable data drive password policy
For these complexity requirement settings to be effective, also enable the group policy setting Password
must meet complexity requirements in Computer Configuration > Windows Settings > Security
Settings > Account Policies > Password Policy .
BitLocker enforces these settings when you turn it on, not when you unlock a volume. BitLocker lets you
unlock a drive with any of the protectors that are available on the drive.
If you use group policy to enable FIPS-compliant algorithms for encryption, hashing, and signing, you can't
allow passwords as a BitLocker protector.
Client management
The settings on this page configure BitLocker management services and clients.
BitLocker Management Services
Suggested configuration: Enabled
When you enable this setting, Configuration Manager automatically and silently backs up key recovery information
in the site database. If you disable or don't configure this setting, Configuration Manager doesn't save key recovery
information.
Select BitLocker recover y information to store : Configure the key recovery service to back up
BitLocker recovery information. It provides an administrative method of recovering data encrypted by
BitLocker, which helps prevent data loss because of the lack of key information.
Allow recover y information to be stored in plain text : Without a BitLocker management encryption
certificate for SQL Server, Configuration Manager stores the key recovery information in plain text. For more
information, see Encrypt recovery data.
Client checking status frequency (minutes) : At the configured frequency, the client checks the BitLocker
protection policies and status on the computer and also backs up the client recovery key. By default, the
Configuration Manager client updates its BitLocker recovery information every 90 minutes.
User exemption policy
Suggested configuration: Not configured
Configure a contact method for users to request an exemption from BitLocker encryption.
If you enable this policy setting, provide the following information:
Maximum days to postpone : How many days the user can postpone an enforced policy. By default, this
value is 7 days (one week).
Contact method : Specify how users can request an exemption: URL, email address, or phone number.
Contact : Specify the URL, email address, or phone number. When a user requests an exemption from
BitLocker protection, they see a Windows dialog box with instructions on how to apply. Configuration
Manager doesn't validate the information you enter.
URL : Use the standard URL format, https://website.domain.tld . Windows displays the URL as a
hyperlink.
Email address : Use the standard email address format, user@domain.tld . Windows displays the
address as the following hyperlink:
mailto:user@domain.tld?subject=Request exemption from BitLocker protection .
Phone number : Specify the number you want your users to call. Windows displays the number with
the following description: Please call <your number> for applying exemption .

If you disable or don't configure this setting, Windows doesn't display the exemption request instructions to users.

NOTE
BitLocker manages exemptions per user, not per computer. If multiple users sign in to the same computer, and any one user
isn't exempt, BitLocker encrypts the computer.

URL for the security policy link

Suggested configuration: Enabled
Specify a URL to display to users as the Company Security Policy in Windows. Use this link to provide users with
information about encryption requirements. It shows when BitLocker prompts the user to encrypt a drive.
If you enable this setting, configure the security policy link URL .
If you disable or don't configure this setting, BitLocker doesn't show the security policy link.
 Troubleshoot BitLocker
4/20/2020 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Use the information in this article to help you troubleshoot issues with BitLocker management in Configuration
Manager.

Server error in self-service

When trying to open the self-service portal ( https://webserver.contoso.com/SelfService ) for the first time, you see
the following error message:

Configuration Error - Server Error in '/SelfService' Application

Description: An error occurred during the processing of a configuration file required to service this request.
Please review the specific error details below and modify your configuration file appropriately.

Parser Error Message: Could not load file or assembly 'System.Web.Mvc, Version=4.0.0.0, Culture=neutral,
PublicKeyToken=31bf3856ad364e35' or one of its dependencies. The system cannot find the file specified.

To fix this issue, make sure you installed the prerequisite for Microsoft ASP.NET MVC 4.0 on the web server.

See also
For more information about using BitLocker event logs, see BitLocker event logs.
For a list of known errors and possible causes for event log entries, see the following articles:
Client event logs
Server event logs
To understand why clients are reporting not compliant with the BitLocker management policy, see Non-
compliance codes.
 BitLocker event logs
4/20/2020 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

The BitLocker management agent and web services use Windows event logs to record messages. In the Event
Viewer, go to Applications and Ser vices Logs , Microsoft , Windows . The log channel (node) varies depending
upon the computer and the component:
MBAM : BitLocker management agent on a client computer
MBAM-Web :
Recovery service on the management point
Self-service portal
Administration and monitoring website
For more information about specific messages in these logs, see the following articles:
Client event logs
Server event logs
In each node, by default you'll see two log channels: Admin and Operational . For more detailed troubleshooting
information, you can also show analytics and debug logs.

Log properties
In Windows Event Viewer, select a specific log. For example, Admin . Go to the Action menu, and select
Proper ties . Configure the following settings:
Maximum log size (KB) : by default, this setting is 1028 (1 MB) for all logs.
When maximum event log size is reached : by default, the Admin and Operational logs are set to
Over write events as needed (oldest events first) .

Analytic and debug logs

You can enable more detailed logs for troubleshooting purposes. In Event Viewer, go to the View menu, and select
Show Analytic and Debug Logs . Now when you browse to the log channel, you'll see two additional logs:
Analytic and Debug .

TIP
By default, these logs have the following properties:
Maximum log size (KB) : 1028 (1 MB)
Do not over write events (Clear logs manually)

Export logs to text

Especially with the analytic and debug logs, you may find it easier to review the logs entries in a single text file.
Use the following PowerShell commands to export the event log entries to text files:
# Out-String with a larger -Width does a better job compared to using Out-File with -Width. -Oldest is only
required with debug/analytic logs.

# Debug log
Get-WinEvent -LogName Microsoft-Windows-MBAM/Debug -Oldest | Format-Table -AutoSize | Out-String -Width 4096
| Out-File C:\Temp\MBAM_Log_Debug.txt

# Analytic log
Get-WinEvent -LogName Microsoft-Windows-MBAM/Analytic -Oldest | Format-Table -AutoSize | Out-String -Width
4096 | Out-File C:\Temp\MBAM_Log_Analytic.txt

# Admin log
# The above command truncates the output from the admin log, this sample reformats the strings
Get-WinEvent -LogName Microsoft-Windows-MBAM/Admin |
Select TimeCreated, LevelDisplayName, TaskDisplayName, @{n='Message';e={$_.Message.trim()}} |
Format-Table -AutoSize -Wrap | Out-String -Width 4096 |
Out-File -FilePath C:\Temp\MBAM_Log_Admin.txt
 Client event logs
4/20/2020 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

On a Configuration Manager client to which you deploy a BitLocker management policy, use the Windows Event
Viewer to view BitLocker client event logs. Go to Applications and Ser vices Logs , Microsoft , Windows ,
MBAM for both Admin and Operational event logs.

Admin
2: VolumeEnactmentFailed
An error occurred while applying MBAM policies.
Error code: -2144272219
Details: BitLocker Drive Encryption only supports Used Space Only encryption on thin provisioned storage.
This error occurs if you try to use BitLocker to encrypt a virtual machine that's running Windows 10 version 1803
or earlier. Earlier versions of Windows 10 don't support full disk encryption. BitLocker management policies
enforce full disk encryption.
Error code: -2147024774
Details: The data area passed to a system call is too small.
To resolve this issue, restart the computer.
4: TransferStatusDataFailed
An error occurred while sending encryption status data.
8: SystemVolumeNotFound
The system volume is missing. SystemVolume is needed to encrypt the operating system drive.
9: TPMNotFound
The TPM hardware is missing. TPM is needed to encrypt the operating system drive with any TPM protector.
10: MachineHWExempted
The computer is exempted from Encryption. Machine's hardware status: Exempted
11: MachineHWUnknown
The computer is exempted from encryption. Machine's hardware status: Unknown
12: HWCheckFailed
Hardware exemption check failed.
13: UserIsExempted
The user is exempt from encryption.
14: UserIsWaiting
The user requested an exemption.
15: UserExemptionCheckFailed
User exemption check failed.
16: UserPostponed
The user postponed the encryption process.
17: TPMInitializationFailed
TPM initialization failed. The user rejected the BIOS changes.
18: CoreServiceDown
Unable to connect to the MBAM Recovery and Hardware service.
Error code: -2147024809
Details: The parameter is incorrect.
This error occurs if the website isn't HTTPS, or the client doesn't have a PKI cert.
20: PolicyMismatch
The BitLocker management policy is in conflict or corrupt.
21: ConflictingOSVolumePolicies
Detected OS volume encryption policies conflict. Check BitLocker policies related to OS drive protectors.
22: ConflictingFDDVolumePolicies
Detected fixed data drive volume encryption policies conflict. Check BitLocker policies related to fixed data drive
drive protectors.
27: EncryptionFailedNoDra
An error occurred while encrypting. A data recovery agent (DRA) protector is required in FIPS mode for pre-
Windows 8.1 machines.
34: TpmLockOutResetFailed
Failed to reset TPM lockout.
36: TpmOwnerAuthRetrievalFailed
Failed to retrieve TPM OwnerAuth from MBAM services.
37: WmiProviderDllSearchPathUpdateFailed
Failed to update the DLL search path for WMI provider.
38: TimedOutWaitingForWmiProvider
Agent stopping. Timed-out waiting for MBAM WMI provider instance.

Operational
1: VolumeEnactmentSuccessful
The BitLocker management policies were applied successfully.
3: TransferStatusDataSuccessful
The encryption status data was sent successfully.
19: CoreServiceUp
Successfully connected to the MBAM Recovery and Hardware service.
28: TpmOwnerAuthEscrowed
The TPM OwnerAuth has been escrowed.
29: RecoveryKeyEscrowed
The BitLocker recovery key for the volume has been escrowed.
30: RecoveryKeyReset
The BitLocker recovery key for the volume has been updated.
31: EnforcePolicyDateSet
The enforce policy date...has been set for the volume
32: EnforcePolicyDateCleared
The enforce policy date...has been cleared for the volume.
33: TpmLockOutResetSucceeded
Successfully reset TPM lockout.
35: TpmOwnerAuthRetrievalSucceeded
Successfully retrieved TPM OwnerAuth from MBAM services.
39: RemovableDriveMounted
Removable drive was mounted.
40: RemovableDriveDismounted
Removable drive was unmounted.
41: FailedToEnactEndpointUnreachable
Failure to connect to the MBAM Recovery and Hardware service prevented BitLocker management policies from
being applied successfully to the volume.
42: FailedToEnactLockedVolume
Locked volume state prevented BitLocker management policies from being applied successfully to the volume.
43: TransferStatusDataFailedEndpointUnreachable
Failure to connect to the MBAM Compliance and Status service prevented the transfer of encryption status data.

See also
For more information on using these logs, see BitLocker event logs.
For more troubleshooting information, see Troubleshoot BitLocker.
 Server event logs
4/22/2020 • 8 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Use the Windows Event Viewer to view event logs for the following BitLocker management server components in
Configuration Manager:
Recovery service on the management point
Self-service portal
Administration and monitoring website
On a server hosting one or more of these components, open the Event Viewer. Then go to Applications and
Ser vices Logs , Microsoft , Windows , and expand MBAM-Web . By default, there are Admin and Operational
event logs.
The following sections contain messages and troubleshooting information for event IDs that can occur with the
BitLocker management server components.

Admin
1: WebAppSpnError
Application: {SiteName}{VirtualDirectory} is missing the following Service Principal Names (SPNs):{ListOfSpns}
Register the required SPNs on the account: {ExecutionAccount}.
For integrated Windows Authentication to succeed, necessary SPNs need to be in place. This message indicates
that the SPN required for the application isn't correctly configured. Details contained in this event should provide
more information.
100: AdminServiceRecoveryDbError
Possible error messages:
GetMachineUsers: An error occurred while getting user information from the database.
GetRecoveryKey: an error occurred while getting recovery key from the database.
GetRecoveryKey: an error occurred while getting user information from the database.
GetRecoveryKeyIds: an error occurred while getting recovery key Ids from the database.
GetTpmHashForUser: An error occurred while getting TPM hash data from the recovery database.
GetTpmHashForUser: An error occurred while getting TPM hash data from the recovery database.
QueryDriveRecoveryData: An error occurred while getting drive recovery data from the database.
QueryRecoveryKeyIdsForUser: An error occurred while getting recovery key Ids from the database.
QueryVolumeUsers: An error occurred while getting user information from the database.
This message is logged whenever there's an exception while communicating with the recovery database. Read
through the information contained in the trace to get specific details about the exception.
101: AdminServiceComplianceDbError
Possible error messages:
GetRecoveryKey: An error occurred while logging an audit event to the compliance database.
GetRecoveryKeyIds: An error occurred while logging an audit event to the compliance database.
GetTpmHashForUser: An error occurred while logging an audit event to the compliance database.
 QueryRecoveryKeyIdsForUser: An error occurred while logging an audit event to the compliance database.
QueryDriveRecoveryData: An error occurred while logging an audit event to the compliance database.
This message is logged whenever there's an exception while communicating with the compliance database. Read
through the information contained in the trace to get specific details about the exception.
102: AgentServiceRecoveryDbError
This message indicates an exception when the service tries to communicate with the recovery database. Read
through the message contained in the event to get specific information about the exception.
Verify that the MBAM app pool account has required permissions to connect to the recovery database.
103: AgentServiceError
Possible error messages:
Unable to detect client machine account or data migration user account.
Whenever a call is made to the PostKeyRecoveryInfo , IsRecoveryKeyResetRequired , CommitRecoveryKeyRest ,
or GetTpmHash web methods, it retrieves the caller context to obtain caller credentials. If the caller context is
null or empty, the service logs this message.
Account verification failed for caller identity.
This message is logged if the web method is expecting the caller to be a computer account and it's not. It
can also be caused if the web method is expecting the caller to be a user account, and it's not a user account
or a member of a data migration group account.
104: StatusServiceComplianceDbConfigError
The compliance database connection string in the registry is empty.
This message is logged whenever the compliance db connection string is invalid. Verify the value at the registry
key HKLM\Software\Microsoft\MBAM Server\Web\ComplianceDBConnectionString .
105: StatusServiceComplianceDbError
This error indicates that the websites or web services were unable to connect to the compliance database. Verify
that the IIS app pool account can connect to the database.
106: HelpdeskError
Known errors and possible causes:
The request to URL caused an internal error.
An unhandled exception was raised in the application for the administration and monitoring website
(helpdesk). Review the log entries in the Admin event log to find the specific exception.
An error occurred while obtaining execution context information. Unable to verify Service Principal Name
(SPN) registration.
During the initial helpdesk website load operation, it checks the SPN. To verify the SPN, it requires account
information, IIS Sitename, and ApplicationVirtualPath corresponding to the helpdesk website. It logs this
error message when one or more of these attributes are invalid or missing.
An error occurred while verifying Service Principal Name (SPN) registration.
This message indicates that a security exception is thrown when verifying the SPN. Refer to the exception
contained in the event details.
107: SelfServicePortalError
Known errors and possible causes:
 An error occurred while getting recovery key for a user
Indicates that an unexpected exception was thrown when a request was made to retrieve a recovery key.
Refer to the exception message in the event details. If tracing is enabled on the helpdesk app, refer to trace
data to obtain detailed exception messages.
An error occurred while obtaining execution context information. Unable to verify Service Principal Name
(SPN) registration
During an initial load operation, the self-service portal retrieves account information, IIS Sitename, and
ApplicationVirtualPath for the self-service website to verify the SPN. This error message is logged when one
or more of these attributes are invalid.
An error occurred while verifying Service Principal Name (SPN) registration. EventDetails:
{ExceptionMessage}
This message indicates that a security exception was thrown while verifying the SPN. Refer to the exception
contained in the event details.
108: DomainControllerError
Known errors and possible causes:
An error occurred while resolving domain name {DomainName}, a memory allocation failure occurred.
To resolve domain name, it calls the DsGetDcName Windows API. This message is logged when this API
returns ERROR_NOT_ENOUGH_MEMORY , which indicates a memory allocation failure.
Could not invoke DsGetDcName method
This message indicates that the DsGetDcName API is unavailable on the host.
109: WebAppRecoveryDbError
Known errors and possible causes:
An error occurred while reading the configuration of the Recovery database. The connection string to the
Recovery database is not configured.
This message indicates that recovery database connection string information at
HKLM\Software\Microsoft\MBAM Server\Web\RecoveryDBConnectionString is invalid. Verify the given registry key
value.
If you see any of the following messages, verify whether the app pool credentials from the IIS server can make a
connection to the recovery database:
DoesUserHaveMatchingRecoveryKey: an error occurred while getting recovery key Ids for a user.
QueryDriveRecoveryData: an error occurred while getting drive recovery data.
QueryRecoveryKeyIdsForUser: an error occurred while getting recovery key Ids for a user.
An error occurred while getting TPM password hash from the Recovery database.
110: WebAppComplianceDbError
Known errors and possible causes:
An error occurred while reading the configuration of the Compliance database. The connection string to the
Compliance database is not configured.
This message indicates that compliance database connection string information at
HKLM\Software\Microsoft\MBAM Server\Web\ComplianceDBConnectionString is invalid. Verify the value of this
registry key.
If you see any of the following messages, verify whether the app pool credentials from the IIS server can make a
connection to the compliance database:
GetRecoveryKeyForCurrentUser: an error occurred while logging an audit event to the Compliance database.
QueryRecoveryKeyIdsForUser: an error occurred while logging an audit event to the Compliance database.
QueryRecoveryKeyIdsForUser: an error occurred while logging an audit event to the compliance database.
111: WebAppDbError
These errors indicate one of the following two conditions
MBAM websites/webservices were unable to either connect to compliance or recovery database
MBAM websites/webservices execution account (app pool account) could not run the GetVersion stored
procedure on compliance or recovery database
The message contained in the event provides more details about the exception.
Verify that the app pool account can connect to the compliance or recovery databases. Confirm that it has
permissions to run the GetVersion stored procedure.
112: WebAppError
An error occurred while verifying Service Principal Name (SPN) registration.
To verify the SPN, it queries Active Directory to retrieve a list of SPNs mapped execution account. It also queries
the ApplicationHost.config to get the website bindings. This error message indicates that it couldn't communicate
with Active Directory, or it couldn't load the ApplicationHost.config file.
Verify that the app pool account has permissions to query Active Directory or the ApplicationHost.config file.
Also verify the site binding entries in the ApplicationHost.config file.

Operational
4: PerformanceCounterError
An error occurred while retrieving a performance counter.
The trace message contains the actual exception message, some of which are listed here:
ArgumentNullException: This exception is thrown if the category, counter, or instance of requested Performance
counter is invalid.
System.InvalidOperationException: categoryName is an empty string (""). counterName is an empty string("").
The read/write permission setting requested is invalid for this counter.
The category specified does not exist (if readOnly is true).
The category specified is not a .NET Framework custom category (if readOnly is false).
The category specified is marked as multi-instance and requires the performance counter to be created with an
instance name.
instanceName is longer than 127 characters.
categoryName and counterName have been localized into different languages.
System.ComponentModel.Win32Exception: An error occurred when accessing a system API.
System.UnauthorizedAccessException: Code that is executing without administrative privileges attempted to
read a performance counter.
The message in the event provides more details on the exception.
For the System.UnauthorizedAccessException , verify that the app pool account has access to performance counter
APIs.
200: HelpDeskInformation
The administration website application successfully found and connected to a supported version of the
recovery/compliance database.
Indicates successful connection to the recovery or compliance database from the helpdesk website.
201: SelfServicePortalInformation
The self-service portal application successfully found and connected to a supported version of the
recovery/compliance database.
Indicates successful connection to the recovery or compliance database from the self-service portal.
202: WebAppInformation
Application has its SPNs registered correctly.
Indicates that the SPNs required for the helpdesk website are correctly registered against the executing account.

See also
For more information on using these logs, see BitLocker event logs.
For more troubleshooting information, see Troubleshoot BitLocker.
For more information on installing these websites, see Set up BitLocker reports and portals.
 Non-compliance codes
4/20/2020 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

WMI on the client provides the following non-compliance codes. It also describes the reasons why a particular
device reports as non-compliant.
There are various methods to view WMI. For example, use the following PowerShell command:

(Get-WmiObject -Class mbam_Volume -Namespace root\microsoft\mbam).ReasonsForNoncompliance

TIP
If the device is compliant, this command doesn't return anything.
You can also check the Compliant attribute of this class, which is 1 if the device is compliant.

N O N - C O M P L IA N C E C O DE REA SO N F O R N O N - C O M P L IA N C E

0 Cipher strength not AES 256.

1 BitLocker policy requires this volume to be encrypted, but it

isn't.

2 BitLocker policy requires this volume to not be encrypted, but

it is.

3 BitLocker policy requires this volume use a TPM protector, but

it doesn't.

4 BitLocker policy requires this volume use a TPM+PIN

protector, but it doesn't.

5 BitLocker policy doesn't allow non-TPM machines to report as

compliant.

6 Volume has a TPM protector, but the TPM isn't visible.

7 BitLocker policy requires this volume use a password

protector, but it doesn't have one.

8 BitLocker policy requires this volume not use a password

protector, but it has one.

9 BitLocker policy requires this volume use an auto-unlock

protector, but it doesn't have one.

10 BitLocker policy requires this volume not use an auto-unlock

protector, but it has one.
N O N - C O M P L IA N C E C O DE REA SO N F O R N O N - C O M P L IA N C E

11 BitLocker detects a policy conflict, which prevents it from

reporting this volume as compliant.

12 A system volume is needed to encrypt the OS volume, but it

isn't present.

13 Protection is suspended for the volume.

14 Auto-unlock protector is unsafe unless the OS volume is

encrypted.

15 Policy requires minimum cypher strength is XTS-AES-128 bit,

actual cypher strength is weaker.

16 Policy requires minimum cypher strength is XTS-AES-256 bit,

actual cypher strength is weaker.