About the SCEP feature in April 2015 update for Lync Room System
This new feature supplements the existing Lync Room System (LRS) security design consisting of Windows Embedded firewall protection, AppLocker, and write filters. System administrators can easily enable Microsoft System Center Endpoint Protection (SCEP) on LRS by using an on/off toggle switch. The SCEP feature in LRS can run stand-alone, and does not require back-end server integration. Finally, LRS deployments in private network environments that have no direct Internet connection require some additional planning and preparation to enable SCEP malware signature updates through Windows Server Update Services (WSUS). Update from signatures that are stored in UNC file shares is not supported for the April 2015 LRS update.
How to enable SCEP
Enable SCEP in Internet-connected LRSTo enable SCEP on an Internet-connected LRS, follow these steps after you apply the April 2015 LRS update (15.13.2 update or later versions):
- Enter LRS Administrator (admin) mode as a system administrator.
- Click the System Settings tab, and then locate the System Center Endpoint Protection antivirus protection on/off switch.
- Toggle the switch to the "on" position. Then, LRS will prompt the system administrator with an End User License Agreement (EULA).
- Accept EULA terms, and then click Apply & Restart. Then, SCEP protection is enabled.
As soon as SCEP is enabled, the daily scan time is set at 2:00 AM. This is by default. The scan time is configurable in the same user interface under the Daily Scan Time drop-down menu. Your Internet-connected LRS device is now fully configured and ready to run SCEP.
Note The Update Mode selections that are located under the Daily Scan Time control are not functional and should be ignored at the current time.
Enable SCEP in LRS in private network environmentsTo enable SCEP on LRS devices that are deployed in private network environments without a direct Internet connection, WSUS setup must be performed and configured to handle SCEP signature updates after a system administrator enables SCEP feature that is described earlier.
Note SCEP signature updates that are stored in a UNC file share are not supported for the April 2015 LRS update.
To set WSUS for the LRS SCEP feature, follow these steps:
Note References of "ForeFront Endpoint Protection 2010" (FEP) here refer to the LRS SCEP feature, and they can be thought of interchangeably.
- In Windows Server 2008 R2, add roles for WSUS and Web Server (IIS) in Server Manager.
- Open Server Manager.
- Locate Roles > Windows Server Update Services > Options.
- Run WSUS Server Configuration Wizard, and then select the settings that are listed here:
- Synchronize from Microsoft Update Server
- Use proxy server when synchronizing. Set appropriate Proxy Server Name and Port Number and then start to connect.
- Language: English
- Products: Click to clear all and then select only Forefront Endpoint Protection 2010 under Forefront.
- Classification: Select Definition updates and Updates.
- Sync Schedule: Sync automatically. Then, begin initial Synchronization and finish.
- Locate Roles > Windows Server Update Services > Synchronizations. Then, verify the synchronization is succeeded.
- Locate Roles > Windows Server Update Services > Update Services > Update. Then, right-click Update and then click New Update View.
- Select updates that are in a specific classification. Then, click to clear all and select only definition updates.
- Select update for specific product. Select Any product, and then click to clear all and select only ForeFront Endpoint Protection 2010 under Forefront.
- Specify a name, such as FEP. A node called FEP will be created under Updates.
- Double-click the FEPnode. Select Approval -> Any expect declined Status-> Any and refresh.
- All available FEP updates are displayed. Select all updates, right-click them, and then approve for all the computers.
Note Make sure that the server that runs IIS is installed on the device where WSUS is installed and is available from anywhere in the network. IIS will show under Server Manager. Then, run http://Server from a browser on any device in the network. Or, make sure C:\inetpub\wwwroot on the server that runs IIS has the "Everyone read" access. This makes sure that all devices can connect to the server that runs IIS.
Important When you set up WSUS, you must only apply FEP (SCEP) signature updates, but not Windows Updates. Windows Updates are currently managed through the Lync Room System update mechanism and do not require WSUS enablement. Downloading Windows Updates through WSUS may result in unpredictable behavior on LRS devices. The system administrator should make sure to isolate LRS units in such a way that WSUS is only applying FEP (SCEP) signature updates. You can do this by explicitly adding LRS devices in separate computer groups in WSUS server and setting the rule to only push FEP (SCEP) signature updates, but not Windows Updates. To do this, follow these steps:
In Windows Server 2008 R2
- Locate Roles > Windows Server Update Services > Update Services > Computers > All Computers > Add Computer Group..., and then specify a name for the new computer group, such as LRSGroup.
- Select all LRS devices, and then right-click to change the membership to join LRSGroup.
- Locate Roles > Windows Server Update Services > Update Services > Computers > Options > Automatic Approvals, and then create a rule. To do this, follow these steps:
- Select When an update is in a specific Product, edit the When an update is in any product property. Click any product. Then, click to clear all, and then select Forefront Endpoint Protection 2010 only.
- Click OK. Now you have When an update is in Forefront Endpoint Protection 2010.
- Edit the Approve the update for all computers property. Then, click to clear all computers, and then select only the all computers property. Then, click to clear all computers, and then select only the LRSGroup that was created.
Note Make sure that Windows Embedded 7 is not selected when you select products in WSUS. Otherwise, it will cause the unwanted effect of pushing Windows Updates. LRS devices should only receive FEP (SCEP) signature updates.
- In LRS, enter admin mode.
- Under the Web Updates tab, select the WSUS server option, and then specify the WSUS/IIS server name, in our case http://server (replace server by using the name that is used in your private network).
- Click Apply & Restart.