Let’s start this post with a simple question. What’s the reason why the new version of Microsoft’s Forefront Endpoint Protection (FEP) 2010 is so kewl? Well, it’s the same reason why I’m blogging about it, it’s because it fully integrates with ConfigMgr 2007! In this post I will go through the installation and the integration of FEP 2010 with ConfigMgr 2007 in three parts.
(PART 1) Integration with ConfigMgr 2007 – How to install
- (Optional) Install Windows Installer 3.1.
- (Optional) Install .NET Framework 3.5 SP1.
- (Optional) Install ConfigMGr Hotfix KB2271736.
- Run the serversetup.exe of the DVD and the Microsoft Forefront Endpoint Protection 2010 Server Setup wizard opens.
- On the Welcome page, type your name, the name of your organization, and click Next.
- On the Microsoft Software License Terms page, select the I accept the software license terms check box, and click Next.
- On the Installation Options page, select Basic topology, and click Next.
- On the Reporting Configuration page, verify the URL of your reporting server and the name of a user account that is used, type the password for the specified user account, and click Next.
- On the Updates and Customer Experience Options page, only select Join the Customer Experience Improvement Program, and click Next.
- On the Microsoft SpyNet Policy Configuration page, select Join Microsoft SpyNet, click Advanced SpyNet membership, and click Next.
- On the Installation Location page, specify the folder for installation, and click Next.
- On the Prerequisites Verification page, click Next.
- On the Setup Summary page, click Install.
- On the Installation page, click Next.
- On the Installation Complete page, click Finish.
(PART 2) Integration with ConfigMgr 2007 – How does it look
After the successful installation of FEP 2010, it’s time to take a closer look at how it’s integrated with ConfigMgr 2007. For this I will create a list with all the changes/ add-ons to the ConfigMgr Console that are created during the installation of FEP.
- FEP Operations are added to right-click menu, and Actions pane for computer objects
- FEP Collections are added to Site Database > Computer Management > Collections
- Definitions Status
- Older Than 1 Week
- Up to 3 Days
- Up to 7 Days
- Up to Date
- Deployment Status
- Deployment Failed
- Deployment Succeeded
- Deployed Desktops
- Deployed Servers
- Locally Removed
- Not Targeted
- Out of Date
- Policy Distribution Status
- Distribution Failed
- Distribution Pending
- Policy Distributed
- Protection Status
- Not Reporting
- Protection Service Off
- Security Status
- Full Scan Required
- Recent Malware Activity
- Restart Required
- Definitions Status
- FEP Packages are added to Site Database > Computer Management > Software Distribution > Packages
- Microsoft Corporation FEP – Deployment 1.0
- Microsoft Corporation FEP – Operations 1.0
- Microsoft Corporation FEP – Policies 1.0
- FEP Advertisements are added to Site Database > Computer Management > Software Distribution > Advertisements
- FEP Operations
- FEP Policies
- Assign FEP policy Default Desktop Policy
- Assign FEP policy Default Server Policy
- FEP Configuration Baselines are added to Site Database > Computer Management > Desired Configuration Management > Configuration Baselines
- FEP – High-Security Desktop
- FEP – Laptop
- FEP – Performance-Optimized Desktop
- FEP – Standard Desktop
- FEP Monitoring – Antimalware Status
- FEP Monitoring – Definitions and Health Status
- FEP Monitoring – Malware Activity
- FEP Monitoring – Malware Detections
- FEP Console extensions are added to Site Database > Computer Management > Forefront Endpoint Protection
- Malware Detection Alerts
- Malware Outbreak Alert
- Repeated Malware Detection Alerts
- Multiple Malware Detection Alerts
(PART 3) Integration with ConfigMgr 2007 – How does it work
Now we know how FEP is installed and what it all creates during the installation, let’s take a look at how it all works together. This part is not about all the possibly different settings, but about how/ when it gets called in ConfigMgr 2007.
For the deployment of the FEP client, the Microsoft Corporation FEP – Deployment 1.0 –package can be used. This package contains a script that also will make sure that any of the following previously installed antimalware clients will be uninstalled:
- Symantec Endpoint Protection version 11
- Symantec Corporate Edition version 10
- McAfee VirusScan Enterprise version 8.5 and version 8.7 and its agent
- Forefront Client Security version 1 and the Operations Manager agent
- TrendMicro OfficeScan version 8 and version 10
For the policy deployment to the FEP client, the Microsoft Corporation FEP – Policies 1.0 –package will be used. By default the already existing advertisement of Assign FEP policy Default Desktop Policy and Assign FEP policy Default Server Policy are used for this. This package contains a script that will make sure that policy changes, that are made through the console (and saved in XML), get updated on the clients. For this the Deployed Desktops and Deployed Servers –collections are used.
For the execution of the FEP client actions, the Microsoft Corporation FEP – Operations 1.0 –package will be used. This action can be performed via the right-click menu, and the Actions pane for computer objects. After this the computer object gets populated in the Operations –collection and the script (of this package) gets assigned to the collection.
For the client health the FEP Dashboard (see picture) can be used. This dashboard shows an overview of Deployment Status, Policy Distribution Status, Definition Status, Protection Status, Security Status and Forefront Endpoint Protection Baselines. The statuses are based on the memberships of the FEP * Status –collections. So indirect the membership –queries of these collections make sure what the dashboard shows.
For the client updates it’s still possible to use an Auto-Approval rule for Definitions Updates in WSUS.
More information about FEP 2010: http://technet.microsoft.com/en-us/library/gg412482.aspx