Jan 15

Remember this?: Software Distribution is currently paused on this computer with ConfigMgr 2007

Posted on January 15, 2012 by Peter van der Woude

This is more of a remember this for my self then probably in general, as this is a problem that we don’t run into that much. Only for me it was the second time already, but I couldn’t directly remember anymore what the problem was. So this post will be more of a reminder for the eventually next time…

Also this will be a short post as it will just describe the problem we ran into with my current customer and what the solution was. The problem we ran into was that after we deployed a new machine we could advertise software to it, but the installation would never start. Looking into the execmgr.log we could see the following message: “This program cannot run because a reboot is in progress or software distribution is paused.”.

Well, the solution for this was actually quit simple, just the searching for it took a while… Looking into the registry we could see that the Software Distribution-State-Paused-key was set to 1 and changing this back to 0 resolved the problem. This key can be found in the following location:

x86 – HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\Mobile Client\Software Distribution\State\
x64 – HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\SMS\Mobile Client\Software Distribution\State\ (see picture)

We’re still not quite sure what caused this problem, but it seems to be something with ending a Task Sequence with a restart. After resolving the issue we found some other people with the same issue here and they are also guessing and linking it to the last step of the Task Sequence.

Dec 11

Remember this?: Re-run Advertisement for one (or more) specific client(s) with ConfigMgr 2007

Posted on December 11, 2011 by Peter van der Woude

I’m not sure if this is going to be a ‘remember this’ –series, but at least in this case it fits really good. We all know it, but sometimes we need a refreshment.

We all know those scenario’s where we send an Advertisement to a Collection of clients and for some reason we may want to rerun the Advertisement for only one (or more) specific client(s). In this case we can use the general rerun options of an Advertisement (like always rerun), but they will affect all clients in the collection and won’t work for user-targeted Advertisements. So what’s left in this case? Well the option I like the most is that there is a registry change that we can make to trick the Advertisement to run again. When we look at a client’s registry, we will see the following the following registry key (depending on the architecture).

x86 – HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\Mobile Client\Software Distribution\Execution History\System\
x64 – HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\SMS\Mobile Client\Software Distribution\Execution History\System\ (see picture)

As this key is located in the HKEY_LOCAL_MACHINE, it can also be found by opening regedit and then make a connection with a remote client. Under System we will find the PackageID of each Package that has previously run. When we now delete the PackageID, for the Program that we want to rerun, it will trigger the Program to run again (during the next evaluation) even though it already completed successfully.

To find the PackageID that we need we can open the Configuration Manager Console and select the Packages –node (under Site Database > Computer Management > Software Distribution). In the overview there will be a list of all the packages with the corresponding PackageID.

Sep 11

ConfigMgr 2007 and creating a non-recurring Maintenance Window by script

Posted on September 11, 2011 by Peter van der Woude

At my current customer they’re not using the Software Updates of ConfigMgr 2007 (yet), but there was a wish for a more controlled company-wide deployment without having to change all the current advertisements (and the whole deployment system). So the idea came to create (and delete) maintenance windows by script (when needed).

Luckily the ConfigMgr 2007 SDK has some pretty straight forward examples of creating and deleting maintenance windows (see also the links at the end of this post). Deleting a maintenance window was almost just copy-paste from the SDK, the tricky part was creating a maintenance window and then especially the non-recurring schedule. At the end, this is (the short version of) what we ended up with:

‘====================================================
‘ MAIN – Set connection, schedule and call
‘====================================================
Set Connection = ConnectToSMSProvider("SiteServerName")
Schedule = NonRecurringScheduleString(connection, 3, “StartTimeInWMIFormat”, FALSE)
CreateMaintenanceWindow(connection, "CollectionID", "Name of Maintenance Window", "", Schedule, TRUE, 1)

‘====================================================
‘ Sub to add a Maintenance Window to a Collection
‘====================================================
Sub CreateMaintenanceWindow(connection, targetCollectionID, newMaintenanceWindowName, newMaintenanceWindowDescription, newMaintenanceWindowServiceWindowSchedules, _
                            newMaintenanceWindowIsEnabled, newMaintenanceWindowServiceWindowType)
    Set allCollectionSettings = connection.ExecQuery("Select * From SMS_CollectionSettings Where CollectionID = ‘" & targetCollectionID & "’")
    If allCollectionSettings.Count = 0 Then
        Set collectionSettingsInstance = connection.Get("SMS_CollectionSettings").SpawnInstance_
        collectionSettingsInstance.CollectionID = targetCollectionID
        collectionSettingsInstance.Put_
    End If
    Set collectionSettingsInstance = connection.Get("SMS_CollectionSettings.CollectionID=’" & targetCollectionID &"’" )
    Set tempServiceWindowObject = connection.Get("SMS_ServiceWindow").SpawnInstance_
    tempServiceWindowObject.Name = newMaintenanceWindowName
    tempServiceWindowObject.Description = newMaintenanceWindowDescription
    tempServiceWindowObject.ServiceWindowSchedules = newMaintenanceWindowServiceWindowSchedules
    tempServiceWindowObject.IsEnabled = newMaintenanceWindowIsEnabled
    tempServiceWindowObject.ServiceWindowType = newMaintenanceWindowServiceWindowType
    tempServiceWindowArray = collectionSettingsInstance.ServiceWindows
    ReDim Preserve tempServiceWindowArray (Ubound(tempServiceWindowArray) + 1)
    Set tempServiceWindowArray(Ubound(tempServiceWindowArray)) = tempServiceWindowObject
    collectionSettingsInstance.ServiceWindows = tempServiceWindowArray
    collectionSettingsInstance.Put_
End Sub

‘====================================================
‘ Function to RETURN a Non Recurring Schedule
‘====================================================
Function NonRecurringScheduleString(connection, hourDuration, startTime, isGmt)
    Set recurInterval = connection.Get("SMS_ST_NonRecurring").SpawnInstance_()
    recurInterval.StartTime = startTime
    recurInterval.DayDuration = 0
    recurInterval.HourDuration = hourDuration
    recurInterval.MinuteDuration = 0
    recurInterval.IsGMT = isGmt
    Set clsScheduleMethod = connection.Get("SMS_ScheduleMethods")
    clsScheduleMethod.WriteToString Array(recurInterval), scheduleString
    NonRecurringScheduleString = scheduleString
End Function

‘====================================================
‘ Function to RETURN a Date/Time in WMI Format
‘====================================================
Function ConvertToWMIDate(strDate)
    strYear = year(strDate):strMonth = month(strDate)
    strDay = day(strDate):strHour = hour(strDate)
    strMinute = minute(strDate)
    If len(strmonth) = 1 Then strMonth = "0" & strMonth
    If len(strDay) = 1 Then strDay = "0" & strDay
    If len(strHour) = 1 Then strHour = "0" & strHour
    If len(strMinute) = 1 Then strMinute = "0" & strMinute
    ConvertToWMIDate = strYear & strMonth & strDay & strHour & strMinute & "00.000000+***"
End Function

‘====================================================
‘ Function to RETURN a Connection to the SMS Provider
‘====================================================
Function ConnectToSMSProvider(ServerName)
   Set objSWbemLocator = CreateObject("WbemScripting.SWbemLocator")
   Set objSWbemServices = objSWbemLocator.ConnectServer(ServerName, "root\sms")
   Set ProviderLocation = objSWbemServices.InstancesOf("SMS_ProviderLocation")
   For Each Location In ProviderLocation
      If Location.ProviderForLocalSite = True Then
         Set objSWbemServices = objSWbemLocator.ConnectServer(Location.Machine, "root\sms\site_" + Location.SiteCode)
         Set ConnectToSMSProvider = objSWbemServices
      End If
   Next
End Function

More information about creating a maintenance window: http://msdn.microsoft.com/en-us/library/cc146686.aspx
More information about deleting a maintenance window: http://msdn.microsoft.com/en-us/library/cc143140.aspx

Jul 24

Using USMT 4.0 and ConfigMgr 2007 while migrating from local profiles to partially redirected profiles

Posted on July 24, 2011 by Peter van der Woude

This time I want to devote a post to a situation I haven’t been in that often. The customer was migrating from Windows XP to Windows 7, well.. nothing special here, but also migrating from local profiles to (partially) redirected profiles, well.. that’s a challenge. So to capture the userdata AND -settings we had to come up with something special. Of course we could do some things with scripting, but the biggest challenge was the fact that the new (partially redirected) profile location was only available after the first logon to Windows 7.

With this information I started thinking about USMT 4.0 again. Most often you use this to migrate on a computer basis, but we made an exception on this. We came up with the following five steps that should do the trick:

(On Windows XP) A batch file that kicks of Scanstate. Nothing special here, just used /uel:1 or /uel:0 to get the user profile we need (0=Logged on user, 1=Modified accounts last 24 hours).
(On Windows XP) A batch file that copies the captured data and settings to the users share on the network.
(On Windows 7) A batch file that copies the captured data and settings back to a local drive.
(On Windows 7) A batch file that kicks of Loadstate. Nothing special here, just used /ue to exclude some possible captured local/ admin account.
(On Windows 7) A batch file that copies the last bits of data straight in to the redirected profile.

The important part is something a didn’t mention yet. In the migration XML files there is the possibility to copy data to an alternative location and that’s what we used for the parts of the profile that would get redirected. The reason for that is simple, because the SYSTEM account has no security rights to write something to there, as it is a network location. Here is a sample of the part we added to the migration XML files:

<locationModify script="MigXmlHelper.RelativeMove(‘%CSIDL_DESKTOP%\’, ‘C:\Temp\Desktop’)">
   <objectSet>
      <pattern type="File">%CSIDL_DESKTOP%\* [*]</pattern>
   </objectSet>
</locationModify>

This specific part would copy the desktop items to C:\Temp\Desktop instead of the desktop location in the (redirected) profile. Also important to note is that, in this case, all the copy actions have to run with user rights, as it’s all copied to the users directory.

Jul 03

Auto Deployment of FEP Definition Updates with ConfigMgr 2007

Posted on July 3, 2011 by Peter van der Woude

This week Microsoft released Forefront Endpoint Protection (FEP) 2010 Update Rollup 1 (including some extra tools). The tools update included some extra policies and also a Definition Update Automation Tool. Together with this, there was also an article published about Definition Update Automation with Configuration Manager.

Personally I don’t like the idea of creating a new Task with the Windows Task Scheduler, while we’ve got Status Filter Rules within ConfigMgr. With these rules we can make a “connection” between the scheduled synchronization of the Software Update Point (SUP) and the start of the Definition Update Automation Tool. Otherwise the tool might run while there hasn’t been a new synchronization of the SUP. To prevent this, I will show in this post how to create the Status Filter Rule.

The prerequisites for this post are the same as mentioned in Definition Update Automation with Configuration Manager.

Open the fepsuasetup.cab file and copy SoftwareUpdateAutomation.exe to <Installationdirectory>\AdminUI\bin
In the ConfigMgr Console browse to Site Database > Site Management > <Sitename> > Site Settings > Status Filter Rules and select New Status Filter Rule in the Actions pane.
On the General page, fill in a Name, select as Source ConfigMgr Server, select as Component SMS_WSUS_SYNC_MANAGER, fill in as Message ID 6702 and click Next. This makes sure that every time the SMS_WSUS_SYNC_MANAGER is DONE this action (which we configure in the next step) will start.
On the Actions page, select Run a Program, fill in as commandline “<Installationdirectory>\AdminUI\bin\SoftwareUpdateAutomation.exe” /AssignmentName <DeploymentName> /PackageName <PackageName> and click Next.
On the Summary page and click Next.
On the Summary page and click Finish.

Download Microsoft Forefront Endpoint Protection (FEP) 2010 Update Rollup 1 Tools: http://www.microsoft.com/download/en/details.aspx?id=26613

Update 18-07: There are some issues discovered with the new tool, take a look here for more information and solutions: http://blogs.technet.com/b/clientsecurity/archive/2011/07/18/errors-when-using-the-fep-2010-definition-update-automation-tool.aspx

Update 01-11: A new version of the Definition Update Automation Tool has been released. This version refreshes the Distribution Point by default and has a new option to disable that behavior (/DisableRefreshDP): http://blogs.technet.com/b/configmgrteam/archive/2011/11/01/how-to-use-definition-update-automation-tool-for-forefront-endpoint-protection-2010-update-rollup-1.aspx

Jun 12

The best informational links about FEP 2010 (and its integration with ConfigMgr 2007)

Posted on June 12, 2011 by Peter van der Woude

This time I want to devote a post to some of the best informational links about Forefront Endpoint Protection (FEP) 2010 (and its integration with ConfigMgr 2007). These links can make it a lot easier to plan, scale, install, manage and troubleshoot your ConfigMgr 2007 with FEP 2010 integrated -environment.

FEP 2010 General Information – This link provides some general information about FEP 2010.
Link: http://www.microsoft.com/fep/
FEP 2010 Deployment Case Study @Microsoft – This link provides some information about the case study used by Microsoft IT for FEP 2010.
Link: http://technet.microsoft.com/en-us/library/gg543127.aspx
FEP 2010 TechNet Library – This link provides all the information available in the Microsoft TechNet Library about FEP 2010. It includes planning, scaling, installing and managing a FEP 2010 –environment, with or without ConfigMgr 2007.
Link: http://technet.microsoft.com/en-us/library/ff823816.aspx
FEP 2010 Tools – This link provides downloads to some available tools, for creating policies, for adding policies, for gathering support data and for scanning an existing environment.
Link:http://www.microsoft.com/downloads/en/details.aspx?FamilyID=04f7d456-24a2-4061-a2ed-82fe93a03fd5&displaylang=en
FEP 2010 Capacity Planning Worksheet – This link provides a download of a FEP Datawarehouse Space Capacity Planning worksheet. Use this worksheet to estimate the needed disk space.
Link: http://blogs.technet.com/b/clientsecurity/archive/2011/01/19/fep-capacity-planning-worksheet.aspx
System Center Best Practices – This link provides System Center best practices and real-world expierence, which now also includes FEP 2010.
Link: http://technet.microsoft.com/en-us/systemcenter/ee942121.aspx
How to deploy the FEP 2010 Client via OS Deployment – This link provides a step-by-step about deploying the FEP 2010 Client via OS Deployment.
Link: http://social.technet.microsoft.com/wiki/contents/articles/how-to-deploy-the-fep-2010-client-via-osd-and-test-deployment.aspx
Automatically deploy the FEP 2010 Updates via ConfigMgr 2007 – This link provides a step-by-step about deploying the FEP 2010 Updates via ConfigMgr 2007.
Link: http://social.technet.microsoft.com/wiki/contents/articles/automatically-deploy-forefront-endpoint-protection-updates-via-system-center-configuration-manager.aspx
Deploying the FEP 2010 Client via Disk Images – Even though this link is a part of the FEP 2010 TechNet Library, it is good to specifically name it. This link provides some registry keys which should be deleted when adding the FEP 2010 Client to an image.
Link: http://technet.microsoft.com/en-us/library/gg193355.aspx

Jun 02

Microsoft Deployment Toolkit 2012 Beta is available!

Posted on June 2, 2011 by Peter van der Woude

For those who didn’t read it on Twitter, Facebook or mail yet, MDT 2012 B1 is available for download! Some of the best things that are mentioned in the release notes, are that it supports ConfigMgr 2012 B2 and also still supports ConfigMgr 2007 SP2! Besides that it also supports the deployment of ALL operating systems from Windows XP and Windows Server 2003 until now. So it only delivers extra’s! For more information, read here the mail of Microsoft Connect:

Thanks for your ongoing interest and participation in the MDT beta review program. We hope you’ll take the time to preview and provide feedback on MDT 2012 Beta 1.

Download the beta materials on Connect: https://connect.microsoft.com/site14/Downloads/DownloadDetails.aspx?DownloadID=8689

Microsoft Deployment Toolkit (MDT) 2012 Beta 1 rides the next wave of System Center releases with support for System Center Configuration Manager 2012. For Lite Touch installations, MDT 2012 improves the overall client-side user experience, while also providing behind-the-scenes enhancements for partitioning, UEFI, and user state migration. These features, combined with many small enhancements, bug fixes, and a smooth and simple upgrade process, make MDT 2012 Beta 1 more reliable and flexible than ever.

Key Benefits:

Fully leverages the capabilities provided by System Center Configuration Manager 2012 for OS deployment.

Improved Lite Touch user experience and functionality.

A smooth and simple upgrade process for all existing MDT users.

Tell us what you think!
We value your input. Download the beta on Connect and tell us what you think!Please submit your feedback through Connect and direct any support questions you may have to satfdbk@microsoft.com.

Availability
This program is now open. The beta review period will run through August 2011.

Tell your friends
To join the beta review program for Microsoft Deployment Toolkit (MDT) 2012, visit Microsoft Connect:
https://connect.microsoft.com/site14

Learn more
Visit the MDT home page: http://www.microsoft.com/MDT

Get the latest news straight from the MDT team: http://blogs.technet.com/mniehaus/

MDT works with the Microsoft Assessment and Planning Toolkit and Security Compliance Manager to help you plan, securely deploy, and manage new Microsoft technologies—easier, faster, and at less cost. Learn more at http://www.microsoft.com/solutionaccelerators.

Thank you for your interest in the development of MDT. We look forward to receiving your feedback!

Sincerely,
Solution Accelerators MDT Team
Microsoft Corporation

Mar 12

Asset Intelligence Reports are not showing correct data since the upgrade to ConfigMgr 2007 SP2

Posted on March 12, 2011 by Peter van der Woude

This blog post is going to be a short explanation about why the Asset Intelligence (AI) Reports are not showing the correct data after an upgrade to ConfigMgr 2007 SP2. The cause of not showing data was actually more logic then I first thought. One of the items on the checklist for an upgrade (http://technet.microsoft.com/en-us/library/ee344152.aspx) is the following:

If you have customized the default SMS_def.mof hardware inventory reporting file, you must create a backup of this file before upgrading the site. When upgrading a site, customizations made to the existing SMS_def.mof file will be overwritten.

Maybe this still doesn’t make sense, but it will after the following piece of history about enabling AI in ConfigMgr 2007. In the ConfigMgr 2007 RTM version AI had to be enabled by manually editting the SMS_def.mof. This got renewed in ConfigMgr 2007 SP1 by adding the Asset Intelligence Reporting Class Settings dialog box, BUT these settings are still written in the SMS_def.mof.

So the combination of these two point mean that after the upgrade to ConfigMgr 2007 SP2, the AI settings have to be re-enabled. This can be done through the Asset Intelligence Reporting Class Settings dialog box by reselecting the needed items, or by manually editing the SMS_def.mof.

Jan 31

ConfigMgr 2007 and clearing a Computers’ Last PXE Advertisement by script

Posted on January 31, 2011 by Peter van der Woude

In a previous post I showed a script to remove a computer from a collection. This post will be an add-on to that previous post. As we are removing the computer from the collection anyway, we can as well perform a Clear Last PXE Advertisement –action. By doing this, it’s not necessary to perform a manual action the next time the computer needs to be re-imaged.

An easy way to do this is to run a script at the end of a Task Sequence that will clear the last PXE Advertisement. This makes sure that a computer can get re-imaged as soon it gets added to the correct collection. For this you can use the script from this post.

The usage of this script is cscript <ScriptName>.vbs /ComputerName:[ComputerName]. Keep in mind that it needs to be run with an account that has enough rights in ConfigMgr. See also this picture for an example.

Option Explicit

DIM objSWbemLocator, objSWbemServices, ProviderLocation, Location, Connection
DIM colResourceID, objResourceID, iResourceID, aResources, InParams
DIM sComputerName, sSiteServerName, objArguments

sSiteServerName = “<SiteServerName>”

‘====================================
‘ Check arguments
‘====================================
Set objArguments = Wscript.Arguments
If WScript.Arguments.Count = 1 Then
   sComputerName = objArguments.Named.Item(“ComputerName”)
Else
   Wscript.Echo “Usage: ClearPxeAdvertisement.vbs /ComputerName:[ComputerName]”
   Wscript.Quit
End If

‘====================================
‘ MAIN Script
‘====================================
Set Connection = ConnectToSMSProvider(sSiteServerName)
iResourceID = GetResourceID(Connection, sComputerName)

aResources = Array(1)
aResources(0) = iResourceID

Set InParams = Connection.Get(“SMS_Collection”).Methods_(“ClearLastNBSAdvForMachines”).InParameters.SpawnInstance_
InParams.ResourceIDs = aResources

Connection.ExecMethod “SMS_Collection”,”ClearLastNBSAdvForMachines”, InParams
WScript.Echo “Cleared PXE advertisement for resource: ” & iResourceID

‘====================================
‘ Function to RETURN a Connection to the SMS Provider
‘====================================
Function ConnectToSMSProvider(ServerName)
   Set objSWbemLocator = CreateObject(“WbemScripting.SWbemLocator”)
   Set objSWbemServices = objSWbemLocator.ConnectServer(ServerName, “root\sms”)
   Set ProviderLocation = objSWbemServices.InstancesOf(“SMS_ProviderLocation”)
   For Each Location In ProviderLocation
      If Location.ProviderForLocalSite = True Then
         Set objSWbemServices = objSWbemLocator.ConnectServer(Location.Machine, “root\sms\site_” + Location.SiteCode)
         Set ConnectToSMSProvider = objSWbemServices
      End If
   Next
End Function

‘====================================
‘ Function to RETURN a ResourceID by a ComputerName
‘====================================
Function GetResourceID(Connection, ComputerName)
   Set colResourceID = Connection.ExecQuery(“Select ResourceID from SMS_R_System where Name = ‘” & ComputerName & “‘”)
   For Each objResourceID in colResourceID
      GetResourceID = objResourceID.ResourceID
   Next
End Function

WScript.Quit(0)

There also exists an (basic) example on MSDN about How to Clear a PXE Advertisement for a Configuration Manager Resource, here: http://msdn.microsoft.com/en-us/library/cc143002.aspx

Jan 10

ConfigMgr 2007 and Forefront Endpoint Protection 2010

Posted on January 10, 2011 by Peter van der Woude

Let’s start this post with a simple question. What’s the reason why the new version of Microsoft’s Forefront Endpoint Protection (FEP) 2010 is so kewl? Well, it’s the same reason why I’m blogging about it, it’s because it fully integrates with ConfigMgr 2007! In this post I will go through the installation and the integration of FEP 2010 with ConfigMgr 2007 in three parts.

(PART 1) Integration with ConfigMgr 2007 – How to install

For the installation I will go through a Basic topology installation and its prerequisites (the installation has to be performed on a Central/ Primary Site server).

(Optional) Install Windows Installer 3.1.
(Optional) Install .NET Framework 3.5 SP1.
(Optional) Install ConfigMGr Hotfix KB2271736.
Run the serversetup.exe of the DVD and the Microsoft Forefront Endpoint Protection 2010 Server Setup wizard opens.
On the Welcome page, type your name, the name of your organization, and click Next.
On the Microsoft Software License Terms page, select the I accept the software license terms check box, and click Next.
On the Installation Options page, select Basic topology, and click Next.
On the Reporting Configuration page, verify the URL of your reporting server and the name of a user account that is used, type the password for the specified user account, and click Next.
On the Updates and Customer Experience Options page, only select Join the Customer Experience Improvement Program, and click Next.
On the Microsoft SpyNet Policy Configuration page, select Join Microsoft SpyNet, click Advanced SpyNet membership, and click Next.
On the Installation Location page, specify the folder for installation, and click Next.
On the Prerequisites Verification page, click Next.
On the Setup Summary page, click Install.
On the Installation page, click Next.
On the Installation Complete page, click Finish.

(PART 2) Integration with ConfigMgr 2007 – How does it look

After the successful installation of FEP 2010, it’s time to take a closer look at how it’s integrated with ConfigMgr 2007. For this I will create a list with all the changes/ add-ons to the ConfigMgr Console that are created during the installation of FEP.

FEP Operations are added to right-click menu, and Actions pane for computer objects
FEP Collections are added to Site Database > Computer Management > Collections
- Definitions Status
  - Older Than 1 Week
  - Up to 3 Days
  - Up to 7 Days
  - Up to Date
- Deployment Status
  - Deployment Failed
  - Deployment Succeeded
    - Deployed Desktops
    - Deployed Servers
  - Locally Removed
  - Not Targeted
  - Out of Date
- Operations
- Policy Distribution Status
  - Distribution Failed
  - Distribution Pending
  - Policy Distributed
- Protection Status
  - Healthy
  - Not Reporting
  - Protection Service Off
- Security Status
  - Full Scan Required
  - Infected
  - Recent Malware Activity
  - Restart Required
FEP Packages are added to Site Database > Computer Management > Software Distribution > Packages
- Microsoft Corporation FEP – Deployment 1.0
- Microsoft Corporation FEP – Operations 1.0
- Microsoft Corporation FEP – Policies 1.0
FEP Advertisements are added to Site Database > Computer Management > Software Distribution > Advertisements
- FEP Operations
- FEP Policies
  - Assign FEP policy Default Desktop Policy
  - Assign FEP policy Default Server Policy
FEP Configuration Baselines are added to Site Database > Computer Management > Desired Configuration Management > Configuration Baselines
- FEP – High-Security Desktop
- FEP – Laptop
- FEP – Performance-Optimized Desktop
- FEP – Standard Desktop
- FEP Monitoring – Antimalware Status
- FEP Monitoring – Definitions and Health Status
- FEP Monitoring – Malware Activity
- FEP Monitoring – Malware Detections
FEP Console extensions are added to Site Database > Computer Management > Forefront Endpoint Protection
- Policies
- Alerts
  - Malware Detection Alerts
  - Malware Outbreak Alert
  - Repeated Malware Detection Alerts
  - Multiple Malware Detection Alerts
- Reports

(PART 3) Integration with ConfigMgr 2007 – How does it work

Now we know how FEP is installed and what it all creates during the installation, let’s take a look at how it all works together. This part is not about all the possibly different settings, but about how/ when it gets called in ConfigMgr 2007.

Client Deployment
For the deployment of the FEP client, the Microsoft Corporation FEP – Deployment 1.0 –package can be used. This package contains a script that also will make sure that any of the following previously installed antimalware clients will be uninstalled:

Symantec Endpoint Protection version 11
Symantec Corporate Edition version 10
McAfee VirusScan Enterprise version 8.5 and version 8.7 and its agent
Forefront Client Security version 1 and the Operations Manager agent
TrendMicro OfficeScan version 8 and version 10

Client Policies
For the policy deployment to the FEP client, the Microsoft Corporation FEP – Policies 1.0 –package will be used. By default the already existing advertisement of Assign FEP policy Default Desktop Policy and Assign FEP policy Default Server Policy are used for this. This package contains a script that will make sure that policy changes, that are made through the console (and saved in XML), get updated on the clients. For this the Deployed Desktops and Deployed Servers –collections are used.

Client Operations
For the execution of the FEP client actions, the Microsoft Corporation FEP – Operations 1.0 –package will be used. This action can be performed via the right-click menu, and the Actions pane for computer objects. After this the computer object gets populated in the Operations –collection and the script (of this package) gets assigned to the collection.

Client Health
For the client health the FEP Dashboard (see picture) can be used. This dashboard shows an overview of Deployment Status, Policy Distribution Status, Definition Status, Protection Status, Security Status and Forefront Endpoint Protection Baselines. The statuses are based on the memberships of the FEP * Status –collections. So indirect the membership –queries of these collections make sure what the dashboard shows.

Client Updates
For the client updates it’s still possible to use an Auto-Approval rule for Definitions Updates in WSUS.

More information about FEP 2010: http://technet.microsoft.com/en-us/library/gg412482.aspx

Page 1 of 712 3 4 5 6 7

ConfigMgr and App-V

Peter blogs about Configuration Manager and App-V

Category Archives: ConfigMgr 2007