ConfigMgr 2007 and Forefront Endpoint Protection 2010

Let’s start this post with a simple question. What’s the reason why the new version of Microsoft’s Forefront Endpoint Protection (FEP) 2010 is so kewl? Well, it’s the same reason why I’m blogging about it, it’s because it fully integrates with ConfigMgr 2007! In this post I will go through the installation and the integration of FEP 2010 with ConfigMgr 2007 in three parts.

(PART 1) Integration with ConfigMgr 2007 – How to install

FEP01_WelcomeFor the installation I will go through a Basic topology installation and its prerequisites (the installation has to be performed on a Central/ Primary Site server).

  1. (Optional) Install Windows Installer 3.1.
  2. (Optional) Install .NET Framework 3.5 SP1.
  3. (Optional) Install ConfigMGr Hotfix KB2271736.
  4. Run the serversetup.exe of the DVD and the Microsoft Forefront Endpoint Protection 2010 Server Setup wizard opens.
  5. On the Welcome page, type your name, the name of your organization, and click Next.
  6. On the Microsoft Software License Terms page, select the I accept the software license terms check box, and click Next.
  7. On the Installation Options page, select Basic topology, and click Next.
  8. On the Reporting Configuration page, verify the URL of your reporting server and the name of a user account that is used, type the password for the specified user account, and click Next.
  9. On the Updates and Customer Experience Options page, only select Join the Customer Experience Improvement Program, and click Next.
  10. On the Microsoft SpyNet Policy Configuration page, select Join Microsoft SpyNet, click Advanced SpyNet membership, and click Next.
  11. On the Installation Location page, specify the folder for installation, and click Next.
  12. On the Prerequisites Verification page, click Next.
  13. On the Setup Summary page, click Install.
  14. On the Installation page, click Next.
  15. On the Installation Complete page, click Finish.

(PART 2) Integration with ConfigMgr 2007 – How does it look

After the successful installation of FEP 2010, it’s time to take a closer look at how it’s integrated with ConfigMgr 2007. For this I will create a list with all the changes/ add-ons to the ConfigMgr Console that are created during the installation of FEP.

  • FEPActionsFEP Operations are added to right-click menu, and Actions pane for computer objects
  • FEP Collections are added to Site Database > Computer Management > Collections
    • FEPCollectionsDefinitions Status
      • Older Than 1 Week
      • Up to 3 Days
      • Up to 7 Days
      • Up to Date
    • Deployment Status
      • Deployment Failed
      • Deployment Succeeded
        • Deployed Desktops
        • Deployed Servers
      • Locally Removed
      • Not Targeted
      • Out of Date
    • Operations
    • Policy Distribution Status
      • Distribution Failed
      • Distribution Pending
      • Policy Distributed
    • Protection Status
      • Healthy
      • Not Reporting
      • Protection Service Off
    • Security Status
      • Full Scan Required
      • Infected
      • Recent Malware Activity
      • Restart Required
  • FEPPackagesFEP Packages are added to Site Database > Computer Management > Software Distribution > Packages
    • Microsoft Corporation FEP – Deployment 1.0
    • Microsoft Corporation FEP – Operations 1.0
    • Microsoft Corporation FEP – Policies 1.0
  • FEPAdvertismentsFEP Advertisements are added to Site Database > Computer Management > Software Distribution > Advertisements
    • FEP Operations
    • FEP Policies
      • Assign FEP policy Default Desktop Policy
      • Assign FEP policy Default Server Policy
  • FEPDCMFEP Configuration Baselines are added to Site Database > Computer Management > Desired Configuration Management > Configuration Baselines
    • FEP – High-Security Desktop
    • FEP – Laptop
    • FEP – Performance-Optimized Desktop
    • FEP – Standard Desktop
    • FEP Monitoring – Antimalware Status
    • FEP Monitoring – Definitions and Health Status
    • FEP Monitoring – Malware Activity
    • FEP Monitoring – Malware Detections
  • FEPConsoleFEP Console extensions are added to Site Database > Computer Management > Forefront Endpoint Protection
    • Policies
    • Alerts
      • Malware Detection Alerts
      • Malware Outbreak Alert
      • Repeated Malware Detection Alerts
      • Multiple Malware Detection Alerts
    • Reports

(PART 3) Integration with ConfigMgr 2007 – How does it work

Now we know how FEP is installed and what it all creates during the installation, let’s take a look at how it all works together. This part is not about all the possibly different settings, but about how/ when it gets called in ConfigMgr 2007.

FEPClientClient Deployment
For the deployment of the FEP client, the Microsoft Corporation FEP – Deployment 1.0 –package can be used. This package contains a script that also  will make sure that any of the following previously installed antimalware clients will be uninstalled:

  • Symantec Endpoint Protection version 11
  • Symantec Corporate Edition version 10
  • McAfee VirusScan Enterprise version 8.5 and version 8.7 and its agent
  • Forefront Client Security version 1 and the Operations Manager agent
  • TrendMicro OfficeScan version 8 and version 10

FEPPolicyClient Policies
For the policy deployment to the FEP client, the Microsoft Corporation FEP – Policies 1.0 –package will be used. By default the already existing advertisement of Assign FEP policy Default Desktop Policy and Assign FEP policy Default Server Policy are used for this. This package contains a script that will make sure that policy changes, that are made through the console (and saved in XML), get updated on the clients. For this the Deployed Desktops and Deployed Servers –collections are used.

Client Operations
For the execution of the FEP client actions, the Microsoft Corporation FEP – Operations 1.0 –package will be used. This action can be performed via the right-click menu, and the Actions pane for computer objects. After this the computer object gets populated in the Operations –collection and the script (of this package) gets assigned to the collection.

FEPDashboardClient Health
For the client health the FEP Dashboard (see picture) can be used. This dashboard shows an overview of Deployment Status, Policy Distribution Status, Definition Status, Protection Status, Security Status and Forefront Endpoint Protection Baselines. The statuses are based on the memberships of the FEP * Status –collections. So indirect the membership –queries of these collections make sure what the dashboard shows.

Client Updates
For the client updates it’s still possible to use an Auto-Approval rule for Definitions Updates in WSUS.

More information about FEP 2010: http://technet.microsoft.com/en-us/library/gg412482.aspx

6 thoughts on “ConfigMgr 2007 and Forefront Endpoint Protection 2010”

  1. Hallo Peter,
    leuk artikel. Ik vraag me alleen af hoe het zit als WSUS geintegreerd is in SCCM. Hoe regel je dan dat definitie updates automatisch approved worden? microsoft geeft aan dat je dit vanuit de WSUS console moet doen. Maar als WSUS geintegreerd is in SCCM moet je eigenlijk van de WSUS server ‘afblijven’.
    Weet jij hier toevallig iets over?

    Reply
  2. Hi Andre,

    I will answer in English so more people can "enjoy" this answer. This is one of those situations where you (almost) have to break the "don’t touch WSUS" -rule and use this example (made for FCS): http://technet.microsoft.com/en-us/library/dd185652.aspx

    When you definitly don’t want to break the "don’t touch WSUS" -rule then take a look at this tool from Kim Oppalfens: http://myitforum.com/cs2/blogs/koppalfens/archive/2010/09/24/auto-deploy-forefront-definition-updates-from-an-sccm-distribution-point.aspx

    Peter

    Reply
  3. Hi Peter,
    Hopefully u dont mind me contacting you again. I have learned alot about FEP already, also with help of the article you wrote about in the previous post.
    There is however one question left which i couldnt get answered by googling around. Microsoft tells a tempdb is needed on a 500 GB LUN when you have more then 10.000 clients. Is this a fixed size? So probably not growing larger then 500 GB? Or is this like a starting size and grows bigger after some time?
    Microsoft has a casy study about network and hard disk (db) growth, but they dont tell anything about the reporting database 🙁 I will introduce FEP to a company with approx 8000 clients. It’s not 10.000, but i will probably go ahead with Microsoft’s advice for the 500 GB LUN. However, i still would like to know how much the growth is of the reporting database. Do you know anything about it?
    Thanks!

    Reply
  4. Hi Peter,
    Nice post here. I have a question about the reports. The computer list report shows only about 22 computers but there are about 146 clients sucessfully deployed already. Is there a way to ensure the reports are correctly populated or is there something wrong somewhere with the reports?

    Thanks.

    Reply

Leave a Reply to Peter van der Woude Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.