Let’s start this post with a simple question. What’s the reason why the new version of Microsoft’s Forefront Endpoint Protection (FEP) 2010 is so kewl? Well, it’s the same reason why I’m blogging about it, it’s because it fully integrates with ConfigMgr 2007! In this post I will go through the installation and the integration of FEP 2010 with ConfigMgr 2007 in three parts.
(PART 1) Integration with ConfigMgr 2007 – How to install
For the installation I will go through a Basic topology installation and its prerequisites (the installation has to be performed on a Central/ Primary Site server).
- (Optional) Install Windows Installer 3.1.
- (Optional) Install .NET Framework 3.5 SP1.
- (Optional) Install ConfigMGr Hotfix KB2271736.
- Run the serversetup.exe of the DVD and the Microsoft Forefront Endpoint Protection 2010 Server Setup wizard opens.
- On the Welcome page, type your name, the name of your organization, and click Next.
- On the Microsoft Software License Terms page, select the I accept the software license terms check box, and click Next.
- On the Installation Options page, select Basic topology, and click Next.
- On the Reporting Configuration page, verify the URL of your reporting server and the name of a user account that is used, type the password for the specified user account, and click Next.
- On the Updates and Customer Experience Options page, only select Join the Customer Experience Improvement Program, and click Next.
- On the Microsoft SpyNet Policy Configuration page, select Join Microsoft SpyNet, click Advanced SpyNet membership, and click Next.
- On the Installation Location page, specify the folder for installation, and click Next.
- On the Prerequisites Verification page, click Next.
- On the Setup Summary page, click Install.
- On the Installation page, click Next.
- On the Installation Complete page, click Finish.
(PART 2) Integration with ConfigMgr 2007 – How does it look
After the successful installation of FEP 2010, it’s time to take a closer look at how it’s integrated with ConfigMgr 2007. For this I will create a list with all the changes/ add-ons to the ConfigMgr Console that are created during the installation of FEP.
- FEP Operations are added to right-click menu, and Actions pane for computer objects
- FEP Collections are added to Site Database > Computer Management > Collections
- Definitions Status
- Older Than 1 Week
- Up to 3 Days
- Up to 7 Days
- Up to Date
- Deployment Status
- Deployment Failed
- Deployment Succeeded
- Deployed Desktops
- Deployed Servers
- Locally Removed
- Not Targeted
- Out of Date
- Operations
- Policy Distribution Status
- Distribution Failed
- Distribution Pending
- Policy Distributed
- Protection Status
- Healthy
- Not Reporting
- Protection Service Off
- Security Status
- Full Scan Required
- Infected
- Recent Malware Activity
- Restart Required
- Definitions Status
- FEP Packages are added to Site Database > Computer Management > Software Distribution > Packages
- Microsoft Corporation FEP – Deployment 1.0
- Microsoft Corporation FEP – Operations 1.0
- Microsoft Corporation FEP – Policies 1.0
- FEP Advertisements are added to Site Database > Computer Management > Software Distribution > Advertisements
- FEP Operations
- FEP Policies
- Assign FEP policy Default Desktop Policy
- Assign FEP policy Default Server Policy
- FEP Configuration Baselines are added to Site Database > Computer Management > Desired Configuration Management > Configuration Baselines
- FEP – High-Security Desktop
- FEP – Laptop
- FEP – Performance-Optimized Desktop
- FEP – Standard Desktop
- FEP Monitoring – Antimalware Status
- FEP Monitoring – Definitions and Health Status
- FEP Monitoring – Malware Activity
- FEP Monitoring – Malware Detections
- FEP Console extensions are added to Site Database > Computer Management > Forefront Endpoint Protection
- Policies
- Alerts
- Malware Detection Alerts
- Malware Outbreak Alert
- Repeated Malware Detection Alerts
- Multiple Malware Detection Alerts
- Reports
(PART 3) Integration with ConfigMgr 2007 – How does it work
Now we know how FEP is installed and what it all creates during the installation, let’s take a look at how it all works together. This part is not about all the possibly different settings, but about how/ when it gets called in ConfigMgr 2007.
Client Deployment
For the deployment of the FEP client, the Microsoft Corporation FEP – Deployment 1.0 –package can be used. This package contains a script that also will make sure that any of the following previously installed antimalware clients will be uninstalled:
- Symantec Endpoint Protection version 11
- Symantec Corporate Edition version 10
- McAfee VirusScan Enterprise version 8.5 and version 8.7 and its agent
- Forefront Client Security version 1 and the Operations Manager agent
- TrendMicro OfficeScan version 8 and version 10
Client Policies
For the policy deployment to the FEP client, the Microsoft Corporation FEP – Policies 1.0 –package will be used. By default the already existing advertisement of Assign FEP policy Default Desktop Policy and Assign FEP policy Default Server Policy are used for this. This package contains a script that will make sure that policy changes, that are made through the console (and saved in XML), get updated on the clients. For this the Deployed Desktops and Deployed Servers –collections are used.
Client Operations
For the execution of the FEP client actions, the Microsoft Corporation FEP – Operations 1.0 –package will be used. This action can be performed via the right-click menu, and the Actions pane for computer objects. After this the computer object gets populated in the Operations –collection and the script (of this package) gets assigned to the collection.
Client Health
For the client health the FEP Dashboard (see picture) can be used. This dashboard shows an overview of Deployment Status, Policy Distribution Status, Definition Status, Protection Status, Security Status and Forefront Endpoint Protection Baselines. The statuses are based on the memberships of the FEP * Status –collections. So indirect the membership –queries of these collections make sure what the dashboard shows.
Client Updates
For the client updates it’s still possible to use an Auto-Approval rule for Definitions Updates in WSUS.
More information about FEP 2010: http://technet.microsoft.com/en-us/library/gg412482.aspx
Hallo Peter,
leuk artikel. Ik vraag me alleen af hoe het zit als WSUS geintegreerd is in SCCM. Hoe regel je dan dat definitie updates automatisch approved worden? microsoft geeft aan dat je dit vanuit de WSUS console moet doen. Maar als WSUS geintegreerd is in SCCM moet je eigenlijk van de WSUS server ‘afblijven’.
Weet jij hier toevallig iets over?
Hi Andre,
I will answer in English so more people can "enjoy" this answer. This is one of those situations where you (almost) have to break the "don’t touch WSUS" -rule and use this example (made for FCS): http://technet.microsoft.com/en-us/library/dd185652.aspx
When you definitly don’t want to break the "don’t touch WSUS" -rule then take a look at this tool from Kim Oppalfens: http://myitforum.com/cs2/blogs/koppalfens/archive/2010/09/24/auto-deploy-forefront-definition-updates-from-an-sccm-distribution-point.aspx
Peter
Hi Peter,
Hopefully u dont mind me contacting you again. I have learned alot about FEP already, also with help of the article you wrote about in the previous post.
There is however one question left which i couldnt get answered by googling around. Microsoft tells a tempdb is needed on a 500 GB LUN when you have more then 10.000 clients. Is this a fixed size? So probably not growing larger then 500 GB? Or is this like a starting size and grows bigger after some time?
Microsoft has a casy study about network and hard disk (db) growth, but they dont tell anything about the reporting database 🙁 I will introduce FEP to a company with approx 8000 clients. It’s not 10.000, but i will probably go ahead with Microsoft’s advice for the 500 GB LUN. However, i still would like to know how much the growth is of the reporting database. Do you know anything about it?
Thanks!
Hi Andre,
Sorry for the late response…
The tempdb is always growing and shrinking. It saves temporary data.
For a whole lot more information, take a look here: http://msdn.microsoft.com/en-us/library/ms190768.aspx
Peter
Hi Peter,
Nice post here. I have a question about the reports. The computer list report shows only about 22 computers but there are about 146 clients sucessfully deployed already. Is there a way to ensure the reports are correctly populated or is there something wrong somewhere with the reports?
Thanks.