Auto Deployment of FEP Definition Updates with ConfigMgr 2007

This week Microsoft released Forefront Endpoint Protection (FEP) 2010 Update Rollup 1 (including some extra tools). The tools update included some extra policies and also a Definition Update Automation Tool. Together with this, there was also an article published about Definition Update Automation with Configuration Manager.

Personally I don’t like the idea of creating a new Task with the Windows Task Scheduler, while we’ve got Status Filter Rules within ConfigMgr. With these rules we can make a “connection” between the scheduled synchronization of the Software Update Point (SUP) and the start of the Definition Update Automation Tool. Otherwise the tool might run while there hasn’t been a new synchronization of the SUP. To prevent this, I will show in this post how to create the Status Filter Rule.

The prerequisites for this post are the same as mentioned in Definition Update Automation with Configuration Manager.

Open the fepsuasetup.cab file and copy SoftwareUpdateAutomation.exe to <Installationdirectory>\AdminUI\bin

In the ConfigMgr Console browse to Site Database > Site Management > <Sitename> > Site Settings > Status Filter Rules and select New Status Filter Rule in the Actions pane.

NSFR

On the General page, fill in a Name, select as Source ConfigMgr Server, select as Component SMS_WSUS_SYNC_MANAGER, fill in as Message ID 6702 and click Next.

This makes sure that every time the SMS_WSUS_SYNC_MANAGER is DONE this action (which we configure in the next step) will start.

NSFRW_General

On the Actions page, select Run a Program, fill in as commandline “<Installationdirectory>\AdminUI\bin\SoftwareUpdateAutomation.exe”
/AssignmentName <DeploymentName> /PackageName <PackageName> and click Next.

NSFRW_Actions

On the Summary page and click Next.

NSFRW_Summary

On the Summary page and click Finish.

NSFRW_Confirmation

Download Microsoft Forefront Endpoint Protection (FEP) 2010 Update Rollup 1 Tools: http://www.microsoft.com/download/en/details.aspx?id=26613

Update 18-07: There are some issues discovered with the new tool, take a look here for more information and solutions: http://blogs.technet.com/b/clientsecurity/archive/2011/07/18/errors-when-using-the-fep-2010-definition-update-automation-tool.aspx

Update 01-11: A new version of the Definition Update Automation Tool has been released. This version refreshes the Distribution Point by default and has a new option to disable that behavior (/DisableRefreshDP): http://blogs.technet.com/b/configmgrteam/archive/2011/11/01/how-to-use-definition-update-automation-tool-for-forefront-endpoint-protection-2010-update-rollup-1.aspx

Share

The best informational links about FEP 2010 (and its integration with ConfigMgr 2007)

FEP_Logo This time I want to devote a post to some of the best informational links about Forefront Endpoint Protection (FEP) 2010 (and its integration with ConfigMgr 2007). These links can make it a lot easier to plan, scale, install, manage and troubleshoot your ConfigMgr 2007 with FEP 2010 integrated -environment.

Share

ConfigMgr 2007 and Forefront Endpoint Protection 2010

Let’s start this post with a simple question. What’s the reason why the new version of Microsoft’s Forefront Endpoint Protection (FEP) 2010 is so kewl? Well, it’s the same reason why I’m blogging about it, it’s because it fully integrates with ConfigMgr 2007! In this post I will go through the installation and the integration of FEP 2010 with ConfigMgr 2007 in three parts.

(PART 1) Integration with ConfigMgr 2007 – How to install

FEP01_WelcomeFor the installation I will go through a Basic topology installation and its prerequisites (the installation has to be performed on a Central/ Primary Site server).

  1. (Optional) Install Windows Installer 3.1.
  2. (Optional) Install .NET Framework 3.5 SP1.
  3. (Optional) Install ConfigMGr Hotfix KB2271736.
  4. Run the serversetup.exe of the DVD and the Microsoft Forefront Endpoint Protection 2010 Server Setup wizard opens.
  5. On the Welcome page, type your name, the name of your organization, and click Next.
  6. On the Microsoft Software License Terms page, select the I accept the software license terms check box, and click Next.
  7. On the Installation Options page, select Basic topology, and click Next.
  8. On the Reporting Configuration page, verify the URL of your reporting server and the name of a user account that is used, type the password for the specified user account, and click Next.
  9. On the Updates and Customer Experience Options page, only select Join the Customer Experience Improvement Program, and click Next.
  10. On the Microsoft SpyNet Policy Configuration page, select Join Microsoft SpyNet, click Advanced SpyNet membership, and click Next.
  11. On the Installation Location page, specify the folder for installation, and click Next.
  12. On the Prerequisites Verification page, click Next.
  13. On the Setup Summary page, click Install.
  14. On the Installation page, click Next.
  15. On the Installation Complete page, click Finish.

(PART 2) Integration with ConfigMgr 2007 – How does it look

After the successful installation of FEP 2010, it’s time to take a closer look at how it’s integrated with ConfigMgr 2007. For this I will create a list with all the changes/ add-ons to the ConfigMgr Console that are created during the installation of FEP.

  • FEPActionsFEP Operations are added to right-click menu, and Actions pane for computer objects
  • FEP Collections are added to Site Database > Computer Management > Collections
    • FEPCollectionsDefinitions Status
      • Older Than 1 Week
      • Up to 3 Days
      • Up to 7 Days
      • Up to Date
    • Deployment Status
      • Deployment Failed
      • Deployment Succeeded
        • Deployed Desktops
        • Deployed Servers
      • Locally Removed
      • Not Targeted
      • Out of Date
    • Operations
    • Policy Distribution Status
      • Distribution Failed
      • Distribution Pending
      • Policy Distributed
    • Protection Status
      • Healthy
      • Not Reporting
      • Protection Service Off
    • Security Status
      • Full Scan Required
      • Infected
      • Recent Malware Activity
      • Restart Required
  • FEPPackagesFEP Packages are added to Site Database > Computer Management > Software Distribution > Packages
    • Microsoft Corporation FEP – Deployment 1.0
    • Microsoft Corporation FEP – Operations 1.0
    • Microsoft Corporation FEP – Policies 1.0
  • FEPAdvertismentsFEP Advertisements are added to Site Database > Computer Management > Software Distribution > Advertisements
    • FEP Operations
    • FEP Policies
      • Assign FEP policy Default Desktop Policy
      • Assign FEP policy Default Server Policy
  • FEPDCMFEP Configuration Baselines are added to Site Database > Computer Management > Desired Configuration Management > Configuration Baselines
    • FEP – High-Security Desktop
    • FEP – Laptop
    • FEP – Performance-Optimized Desktop
    • FEP – Standard Desktop
    • FEP Monitoring – Antimalware Status
    • FEP Monitoring – Definitions and Health Status
    • FEP Monitoring – Malware Activity
    • FEP Monitoring – Malware Detections
  • FEPConsoleFEP Console extensions are added to Site Database > Computer Management > Forefront Endpoint Protection
    • Policies
    • Alerts
      • Malware Detection Alerts
      • Malware Outbreak Alert
      • Repeated Malware Detection Alerts
      • Multiple Malware Detection Alerts
    • Reports

(PART 3) Integration with ConfigMgr 2007 – How does it work

Now we know how FEP is installed and what it all creates during the installation, let’s take a look at how it all works together. This part is not about all the possibly different settings, but about how/ when it gets called in ConfigMgr 2007.

FEPClientClient Deployment
For the deployment of the FEP client, the Microsoft Corporation FEP – Deployment 1.0 –package can be used. This package contains a script that also  will make sure that any of the following previously installed antimalware clients will be uninstalled:

  • Symantec Endpoint Protection version 11
  • Symantec Corporate Edition version 10
  • McAfee VirusScan Enterprise version 8.5 and version 8.7 and its agent
  • Forefront Client Security version 1 and the Operations Manager agent
  • TrendMicro OfficeScan version 8 and version 10

FEPPolicyClient Policies
For the policy deployment to the FEP client, the Microsoft Corporation FEP – Policies 1.0 –package will be used. By default the already existing advertisement of Assign FEP policy Default Desktop Policy and Assign FEP policy Default Server Policy are used for this. This package contains a script that will make sure that policy changes, that are made through the console (and saved in XML), get updated on the clients. For this the Deployed Desktops and Deployed Servers –collections are used.

Client Operations
For the execution of the FEP client actions, the Microsoft Corporation FEP – Operations 1.0 –package will be used. This action can be performed via the right-click menu, and the Actions pane for computer objects. After this the computer object gets populated in the Operations –collection and the script (of this package) gets assigned to the collection.

FEPDashboardClient Health
For the client health the FEP Dashboard (see picture) can be used. This dashboard shows an overview of Deployment Status, Policy Distribution Status, Definition Status, Protection Status, Security Status and Forefront Endpoint Protection Baselines. The statuses are based on the memberships of the FEP * Status –collections. So indirect the membership –queries of these collections make sure what the dashboard shows.

Client Updates
For the client updates it’s still possible to use an Auto-Approval rule for Definitions Updates in WSUS.

More information about FEP 2010: http://technet.microsoft.com/en-us/library/gg412482.aspx

Share