Endpoint Protection

 View Only

  • 1.  General questions about SEPM - thanks in advance

    Posted Sep 06, 2012 08:46 PM

    I recently was "tasked" with fixing some issues with our Endpoint Protection Manager.  It runs on a Server 2008 R2 VM located on a NetApp SANS. We have around 1000 workstations, mainly XP . The servers are either Windows Server 2003 or 2008.

    We are an Active Directory network, yet the directory server(s) aren't set up in SEPM.  As I understand it, I can sync SEPM with AD and assign packages to OUs and users.  If user A has a package assigned to him/her , and logs in at workstation XX that doesn't have any Endpoint Protection will it automatically install based on Active Directory sync ? Does the install package "follow" that person around ?  I'm trying to understand the full benefits of using the AD sync feature, doesn't seem like setting up at least the directory server name/login would hurt anything.

    I've noticed on some domain computers we'll push an install package out with no problem, however it won't show up in the managed client list. I think I've solved that issue by doing a complete uninstall and using CCleaner to remove orphan registries and files. I created an install package with the option to remove old policy, log files, settings . It seems like Endpoint Protection isn't a big fan of having new versions installed over it without as much as it can of the old version. I've just had better luck with new installs than upgrades I suppose

    Thanks for any help or advice  smiley



  • 2.  RE: General questions about SEPM - thanks in advance
    Best Answer

    Posted Sep 06, 2012 09:48 PM

    The machine should get the upgrade regardless of whether a user logs in or not. If the machine is showing up in SEPM and you've assigned an install package to the group it is in, it will get the install package.

    Using AD sync will allow you to essentially setup the same structure in your SEPM as what you have in AD. Any time you add a new PC in AD, it will show in SEPM. It should be a 1:1 ratio.



  • 3.  RE: General questions about SEPM - thanks in advance

    Posted Sep 06, 2012 09:54 PM

    Thanks for the help.  Our AD structure could use some improvement right now. As I understand, even if I did do an Active Directory syn, I can still choose what computers or users are put in the SEPM groups and deploy EPM as required.

    What I don't want is an AD sync, then because of that a massive deployment of install packages. I still want to be able to do a controlled deployment of packages.



  • 4.  RE: General questions about SEPM - thanks in advance

    Posted Sep 06, 2012 10:00 PM

    The major drawback I always had was I couldn't move PCs around when synched with AD. Unless it was moved in AD, it couldn't be moved in SEPM.

    You could add different install packages to different groups, controlling it that way.