Forefront Endpoint Protection 2010 Installation and Configuration Guide For Configuration Manager 2007 v1.4

Forefront Endpoint Protection 2010 installation
and configuration guide for Configuration

Manager 2007
Author:
Create date:
Change date:
Document version no.:
Kent Agerlund &

Michael Buchardt
19/04-2011
16/10-2011
1.4
Written by Kent Agerlund and Michael Buchardt, Coretech A/S
Page 1 of 71
Document information
History
Date
Author
Version
Reason for change
19/04-2011
1.0
N/A
1.2
15/10-2011
Kent Agerlund &

Michael Buchardt
Kent Agerlund &
Michael Buchardt
Michael Buchardt
16/10-2011
Kent Agerlund
1.4
Added information about FEP 2010 Update 1

Rollup (installation and configuration)
Added information about installing Reporting
Services, Analysis Services and Integration
Services for SQL Server 2008 R2
Minor changes, added policy template
information.
05/07-2011
1.3
Proof readers
Name
Version
Date of approval
Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4.docx
Page 2 of 71
Table of contents
Document information .................................................................................................... 2
History ....................................................................................................................... 2
Proof readers .............................................................................................................. 2
Table of contents ........................................................................................................... 3
Configuration Manager Site Topologies and FEP 2010 ........................................................ 4
Single-Site Deployment ................................................................................................... 4
Centralized policy control and centralized FEP administration .......................................... 6
Centralized policy control and decentralized FEP administration....................................... 8
Decentralized policy control and decentralized FEP administration ................................. 11
Decentralized policy control and FEP administration with centralized FEP reporting ......... 13
Installing SQL 2008 R2 requirements ............................................................................. 15
Preparing the Site server for the FEP 2010 installation ..................................................... 21
Installing FEP 2010 ....................................................................................................... 23
Templates ................................................................................................................... 26
Template settings ..................................................................................................... 26
Changes made to the default template settings ........................................................... 26
Common settings for all templates .......................................................................... 26
Common settings for all server policies .................................................................... 27
Default desktop ..................................................................................................... 27
ConfigMgr Server Policy .......................................................................................... 28
Alerts .......................................................................................................................... 29
Reports ....................................................................................................................... 31
DCM Settings ............................................................................................................... 31
Configure WSUS to automatically approve FEP 2010 definition updates ............................. 32
FEP 2010 Update Rollup 1 information ........................................................................... 35
Installing FEP 2010 Update Rollup 1............................................................................... 36
Installing the KB2554364 hotfix on the FEP reporting server ......................................... 36
Extracting the FEP2010 Update Rollup installation files ................................................. 38
Installing the Update Rollup 1 on the Configuration Manager Site server (FepExt) .......... 39
Installing the Update Rollup 1 on the FEP 2010 Reporting Server (FepReport)................ 41
Installing the Update Rollup 1 on the FEP 2010 Console machines (FepUx) .................... 43
Deploying the FEP 2010 Update Rollup 1 to Clients ......................................................... 45
Configuring Configuration Manager 2007 SUP to distribute FEP definition updates to your FEP
2010 clients ................................................................................................................. 47
Configuring FEP 2010 clients to use Configuration Manager as the primary source for
definition updates ..................................................................................................... 59
Configuring the FEP 2010 Definition Update Automation tool............................................ 61
Automating the execution of the FEP 2010 Definition Update Automation tool using Task
Scheduler (Method 1) ................................................................................................... 62
Automating the execution of the FEP 2010 Definition Update Automation tool using
Configuration Manager Status Filter Rules (Method 2) ..................................................... 67
Testing the FEP 2010 Definition Update Automation tool ................................................. 69
Page 3 of 71
Configuration Manager Site Topologies and FEP 2010

You can deploy Forefront Endpoint Protection 2010 (FEP) to a Configuration Manager standalone (single) site or to a hierarchical site environment. Installation of Forefront Endpoint
Protection on secondary sites is not supported.
Single-Site Deployment
In a single-site Configuration Manager deployment, Forefront Endpoint Protection is installed
on the Configuration Manager site server. Configuration Manager administrators can perform
the following tasks from the Configuration Manager console:
Create or modify Forefront Endpoint Protection policies
Assign Forefront Endpoint Protection policies to collections
Deploy Forefront Endpoint Protection clients to collections
Monitor Forefront Endpoint Protection via the Forefront Endpoint Protection

dashboard
Configure Forefront Endpoint Protection alerts
Assign the Forefront Endpoint Protection Desired Configuration Management

configuration baselines to collections
Page 4 of 71
Hierarchical Deployment
In a hierarchical Configuration Manager deployment, a parent site has one or more attached
child sites in the hierarchy. A parent site contains pertinent information about its child sites,
and it can control many operations at the child sites. A site that has no parent site is known
as a central site.
Depending on the needs and requirements of an organization, you can deploy Forefront
Endpoint Protection to achieve the following scenarios:
Centralized policy control and centralized FEP administration
Centralized policy control and decentralized FEP administration
Decentralized policy control and decentralized FEP administration
Decentralized policy control and FEP administration with centralized FEP reporting
Page 5 of 71
Centralized policy control and centralized FEP administration

In this scenario, administrators at the Configuration Manager parent site control the
configuration and administration of Forefront Endpoint Protection. Administrators at the
parent site are responsible for policy management and day-to-day monitoring of Forefront
Endpoint Protection. Administrators at the child sites can deploy the Forefront Endpoint
Protection client software to collections in the child site and assign FEP policies, but have
limited ability to monitor the progress of the FEP client software and policy deployments.
To implement this scenario, install Forefront Endpoint Protection only on the primary parent
site.
Page 6 of 71
The following table lists the tasks that can be accomplish when Forefront Endpoint Protection
is installed on the parent primary site only.
Task
Connected to the
parent site
Connected to the
child sites
Deploy FEP clients to collections

Create or modify FEP policies
Assign FEP policies to collections
Monitor FEP client deployment and
policy deployment progress
Monitor FEP via the FEP dashboard
FEP reporting
Configure FEP alerts
FEP Operations
Yes
Yes
Yes
Yes
Yes
No
Yes
Limited
Yes
Yes
Yes
Yes
No
No
No
Limited
Page 7 of 71
Centralized policy control and decentralized FEP administration

In this scenario, FEP policies are managed centrally at the parent site, but the administrators
at the child sites are responsible for the deployment and day-to-day management of FEP.
Administrators at the child sites can view the Forefront Endpoint Protection policies, but
cannot create, modify, or delete a policy.
To implement this scenario, you must install Forefront Endpoint Protection on both the
primary parent site and the primary child sites.
Page 8 of 71
The following table lists the tasks that you can accomplish when Forefront Endpoint
Protection is installed on the parent site and child sites.
Task
Connected to the
parent site
Connected to the
child sites
Deploy FEP clients to collections

Assign FEP policies to collections
Monitor FEP client deployment and
policy deployment progress
Monitor FEP via the FEP dashboard
FEP reporting
FEP Operations
Yes
Yes
Yes
Yes
Yes
No
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Page 9 of 71
Important:
At a child site, there are two FEP Deployment packages, one from the parent site and one
from the child site. When deploying the Forefront Endpoint Protection client software from
the child site, you must deploy by using the software package from the parent site. The first
three letters of the software package Package ID indicate from which site the software
package originates.
When you install Forefront Endpoint Protection on the child site first, and then install
Forefront Endpoint Protection on the parent site, the FEP Policies package on the client site
is disabled, and the FEP Policies package from the parent site is propagated to the child
site. Policies created on the child site no longer exist. It is recommended that you export the
policies from the child site before you install Forefront Endpoint Protection on the parent site.
After installing Forefront Endpoint Protection on the parent site, you can import the policies
on the parent site.
Uninstalling Forefront Endpoint Protection on the parent site while Forefront Endpoint
Protection is also installed on child sites disrupts Forefront Endpoint Protection functionality
of the child sites. Repair the Forefront Endpoint Protection installation on each child site after
Forefront Endpoint Protection is uninstalled from the parent site.
FEP clients deployed at the child sites appear only in the following Client Deployment Status
categories at the parent site:
Deployed
Out of date
The reason for this is that the information for these categories is based on Configuration
Manager hardware inventory data that the parent site receives from the child sites.
The information for the following deployment categories is based on the Configuration
Manager advertisements: Removed, Failed, and Pending. Because the parent site cannot see
the advertisements created at a child site, deployment information for these categories is not
displayed at the parent site. You can view the full deployment status for deployed FEP client
software at the child site.
Policy distribution status for FEP policies assigned to collections at a child site can take up to
24 hours to display at the parent site.
Page 10 of 71
Decentralized policy control and decentralized FEP

administration
In this scenario, the FEP policies are managed independently at each of the child sites, and
the child site administrators are responsible for the deployment and day-to-day management
of Forefront Endpoint Protection. Site administrators can share policies by exporting and
importing Forefront Endpoint Protection policies from one site to another. Tasks performed
on a child site only affect the devices of that child site
To implement this scenario, install Forefront Endpoint Protection in primary child sites only.
Page 11 of 71
Important:
Do not install Forefront Endpoint Protection on the parent site because this disables the
existing policies on the child sites and enables the following scenarios, Centralized policy
control and decentralized FEP administration.
The following table lists the tasks that you can accomplish when Forefront Endpoint
Protection is installed at the child sites only.
Task
Connected to the parent

site
Connected to the child

sites
Deploy FEP clients to

collections
Assign FEP policies to
collections
Monitor FEP via the FEP
dashboard
FEP reporting
FEP Operations
No
Yes
No
No
Yes
Yes
No
Yes
No
No
No
Yes
Yes
Yes
Page 12 of 71
Decentralized policy control and FEP administration with

centralized FEP reporting
This scenario is very similar to the Decentralized policy control and FEP administration
scenario, and in addition, provides centralized organization-wide reporting.
In this scenario, FEP policies are managed independently at each of the child sites, and the
child site administrators are responsible for the deployment and day-to-day management of
FEP. Site administrators can share policies by exporting and importing Forefront Endpoint
Protection policies from one site to another.
To implement this scenario, install Forefront Endpoint Protection on primary child sites and
install only FEP reporting on the primary parent site.
Page 13 of 71
Important:
Do not install full Forefront Endpoint Protection on the parent site, because this disables the
existing policies on the child sites and enables the following scenarios, Centralized policy
control and decentralized FEP administration.
The following table lists the Forefront Endpoint Protection tasks that you can accomplish
when Forefront Endpoint Protection is installed at the child sites only.
Task
Connected to the parent

site
Connected to the child

sites
Deploy FEP clients to

collections
Assign FEP policies to
collections
Monitor FEP via the FEP
dashboard
FEP reporting
FEP Operations
No
Yes
No
No
Yes
Yes
No
Yes
Yes
Yes
No
Yes
Yes
Yes
Page 14 of 71
Installing SQL 2008 R2 requirements

Click Start and type Programs and then
press Enter
In the Programs and Features window,

select Microsoft SQL Server 2008 R2
(64 bit) and then click
Uninstall/Change
Note: Make sure your SQL 2008 R2
installation media is inserted into you DVD
drive
In the SQL Server 2008 R2 dialog box,

click Add and wait for the SQL Server
2008 R2 installation to start
Page 15 of 71
In the SQL Server Installation Center,

click Installation and then select New
installation or add features to an
existing installation
On the Setup Support Rules page, click

Show details and verify that all the rule
checks show passed. Then click OK
On the Setup Support Files page, click

Install
Page 16 of 71
On the Setup Support Rules page, click

checks show passed. Then click Next
On the Installation Type page, select

Add features to an existing instance
of SQL Server 2008 R2 and click Next
On the Feature Selection page, select

Analysis Services, Reporting Services
and Integration Services and then click
Next
Page 17 of 71
On the Installation Rules page, click

checks show passed. Then click Next
On the Disk Space Requirements page,

verify that there is enough available disk
space for the selected features and then
click Next
On the Server Configuration page,

select Use the same account for all
SQL Server Services
Note: A separate domain account should
be used for each SQL Server service
In the Use the same account for all

SQL Server 2008 R2 Services windows,
click the drop-down arrow and select NT
AUTHORITY\SYSTEM. Then click OK
Back on the Server Configuration page,
click Next
Page 18 of 71
On the Analysis Services

Configuration page, select Add Current
User and then click Next
Note: The users added here will have
unrestricted access to Analysis Services
On the Reporting Services page, verify

that Install, but do not configure the
report server is selected and click Next
On the Error Reporting page, click Next
Page 19 of 71
On the Installation Configuration

Rules page, click Show details and
verify that all the rule checks show
passed. Then click Next
On the Ready to Install page, verify

your selections and then click Install
On the Complete page, verify that the

installation completed successfully and
then click Close
Page 20 of 71
Preparing the Site server for the FEP 2010 installation

Open a Command Prompt with
administrative privileges and change your
directory to where you have the FEP 2010
installation files.
In the Command Prompt window type
SCCM2007-SP2-KB2271736-ENU.msi
and then press Enter
Important: This hotfix is required on all
administrator consoles.
On the Welcome to page, click Next
On the End-User License Agreement

page, select I accept the terms in the
License Agreement and then click Next
Page 21 of 71
On the Ready to Install page, click

Install
On the Completing the Software

page, click Finish
Page 22 of 71
Installing FEP 2010

administrative privileges and change your
directory to where you have the FEP 2010
installation files.
In the Command Prompt window type
Serversetup.exe and then press Enter
Important: You should run
Serversetup.exe from either the x86 or
x64 subdirectory depending on you OS
architecture.
On the Welcome to Forefront
Endpoint Protection 2010 Server
Setup Wizard page, type company name
and organization in the Name and
Organization fields.
Then click Next.
On the Microsoft Software License

Terms page, select I accept the
software license terms and then click
Next
On the Installation Options page, select

Basic topology and click Next.
Page 23 of 71
On the Reporting Configuration page,

fill in the following information:
User name (domain\user): Use the
account used for SQL RS i.e.
petfood\SCCMSVCsqlrs
Password: Fill in the password for the
account.
Then click Next
On the Updates and Customer
Experience Options page, select Use
Microsoft Updates to keep my
products up to date and then click
Next.
On the Microsoft SpyNet Policy

Configuration page, select Join
Microsoft Spynet and Advanced
membership and click Next.
On the Installation Location page,

accept the default installation location,
C:\Program Files\Microsoft Forefront
and click Next.
Page 24 of 71
On the Prerequisites Verification page,

verify that all prerequisite checks have a
status of successful and then click Next.
On the Setup Summary page, verify the

chosen installation options and then click
Install
On the Installation page, verify that the

installation completed successfully and
then click Next
On the Installation Complete page,

click Finish
Page 25 of 71
Templates
The product ships with several default templates.
Template name
Target collection
Default workstation
Default server
Mail Server policy
ConfigMgr Server Policy
OpsMgr Server Policy
File Server Policy
Domain Controller Server
Policy
SharePoint Server Policy
SQL Server Policy
FEP
FEP
FEP
FEP
FEP
FEP
FEP
Collections\Deployment Status\Deployment Succeeded\Deployed Servers

Collections\Deployment Status\Deployment Succeeded\Deployed Desktops
Collections\FEP Policies (Folder)\FEP Mail Server
Collections\FEP Policies (Folder)\FEP ConfigMgr Server
Collections\FEP Policies (Folder)\FEP OpsMgr Server
Collections\FEP Policies (Folder)\FEP File Server
Collections\FEP Policies (Folder)\FEP Domain Controller Server
FEP Collections\FEP Policies (Folder)\FEP SharePoint Server

FEP Collections\FEP Policies (Folder)\FEP SQL Server
Template settings
All default settings are documented on TechNet - http://technet.microsoft.com/enus/library/gg477039.aspx
Changes made to the default template settings

Below are some example settings that we configured for our clients and Configuration
Manager Server (with a local SQL installation). Below settings are in no way the only correct
settings, all policy settings must be discussed internally and match the security policy of the
organization.
Common settings for all templates

Exclusions
%windir%\system32\CCM
%windir%\SYSwow64\CCM
Page 26 of 71
Windows Firewall
Manager Windows firewall disabled
Common settings for all server policies

Scheduled scans
Default desktop
Scheduled scans
Weekly scan, Friday 09:00 AM
Page 27 of 71
Advanced
Enabled Scan removable storage
devices such as USB flash drives

Excluded Processes
%ProgramFiles%\Microsoft SQL
Server\MSSQL.1\MSSQL\Binn\SQLSer
vr.exe
ProgramFiles%\Microsoft SQL
Server\MSSQL.3\Reporting
Services\ReportServer\Bin\ReportingS
ervicesService.exe
%ProgramFiles%\Microsoft SQL
Server\MSSQL.2\OLAP\Bin\MSMDSrv.
exe"
On the Microsoft Technet Wiki http://social.technet.microsoft.com/wiki/contents/articles/953.aspx you can find an updated
list of recommended Anti-Virus exclusions for Windows Server.
This list includes among others:
Windows, Active Directory, Cluster, Forefront, FRS, SQL, IIS, DHCP, SCOM, ConfigMgr,
Hyper-V, Exchange, Sharepoint, Med-V and App-V
Page 28 of 71
Alerts
Email settings
Malware Detection Alerts

A mail will be send whenever a computer has
a detected malware.
Mail
Forefront Endpoint Protection has detected malware on a computer in your

organization.
Detection time (UTC): 4/20/2011 10:55:58 AM
Computer name: client1.petfood.local
Malware name: HackTool:Win32/Mailpassview
To view more information about malware activity in your organization, run a
Computer List Report.
Note: No additional Malware Detection alerts will be generated for this computer for
the next 24 hours.
Malware Outbreak Alert properties

A mail will be send if more than 5 computers
have the same malware detected.
Mail
Forefront Endpoint Protection has detected a fast spreading malware on computers

in your organization.
Malware name: HackTool:Win32/Mailpassview
Number of computers affected: 6
Detection interval (minutes): 0
To view more information about malware activity in your organization, run an
Antimalware Activity Report.
Note: No additional Malware Outbreak alerts will be generated for this malware for
the next 24 hours.
Page 29 of 71
Repeated Malware Detection Alert

A mail will be send if the same malware is
detected 4 times within 24 on a single
computer.
New Multiple Malware Destination Alert

A mail will be send if multiple malware is
detected within 24 on a single computer.
Page 30 of 71
Reports
All reports are accessible from http://servername/reports.
DCM Settings
Forefront Clients use desired configuration management to update status information in
Configuration Manager. By default 4 Configuration baselines are created and applied to
specific collections. Baselines written in bold are non-default baselines.
Baseline
Applied Collection
Schedule
FEP Monitoring Antimalware Status
FEP Collections\Deployment
Status\Deployment Succeeded
Status\out of date
Status\out of date
Status\out of date
Status\out of date
Status\Deployment
Succeeded\Deployed Desktops
Daily
FEP Monitoring Definitions and

Health Status
FEP Monitoring Malware Activity
FEP Monitoring Malware Detections
FEP Standard Desktop
Daily
Daily
Daily
Daily
Page 31 of 71
Configure WSUS to automatically approve FEP 2010

definition updates
Important: If you install FEP 2010 Update Rollup 1 and configure your environment to
use Configuration Manager as the primary source for your FEP 2010 Definition Updates, you
should not perform the step detailed in this section.
Open the WSUS administrator console.
Select Synchronization schedule

and configure 6 synchronizations pr.
Day.
Click OK
Click Automatic Approvals.
Page 32 of 71
Create a new rule that will

automatically approve all definition
updates.
Select When an update is in a
specific classification.
Click on the any classification link.

Make sure you only select Definition
updates.
Click OK
Select When an update is in a

specific product.
Select Forefront Endpoint

Protection 2010 and click OK.
Page 33 of 71
Type FEP definitions as the name

and click OK (twice).
Page 34 of 71
FEP 2010 Update Rollup 1 information

The following list is a summary of the updates in FEP 2010 Update Rollup 1:
FEP 2010 client support for the following Windows Embedded 7 client operating
systems and Windows Server 2008 Core:
Windows Embedded Standard 7 SP1
Windows Embedded POSReady 7
Windows ThinPC
Windows Server 2008 Server Core (x86 or x64)
Support for enabling deployment of Forefront Endpoint Protection definition updates

through Configuration Manager 2007 software update point role
Addition of two new preconfigured policy templates for Microsoft Forefront Threat
Management Gateway and Microsoft Lync 2010
Various bug fixes
For a full list of added functionality and fixes, see

http://support.microsoft.com/kb/2551095
Page 35 of 71
Installing FEP 2010 Update Rollup 1

Download FEP 2010 Update Rollup 1 from here:
http://www.microsoft.com/download/en/details.aspx?id=26583
Note: You must download the following pair of files depending on your servers
architecture.
FEP2010-Update-KB2554364-x64-ENU.EXE
FEP2010-Update-Rollup-KB2551095-x64-ENU.exe
or
FEP2010-Update-Rollup-KB2551095-x86-ENU.exe
FEP2010-Update-KB2554364-x86-ENU.EXE
You must first install either the x86 or x64 version of the KB2554364 hotfix on the computer
on which the FEP reporting feature is installed. Once this hotfix is installed, it cannot be
uninstalled
Installing the KB2554364 hotfix on the FEP reporting server

administrative privileges and change
your directory to where you have
downloaded the FEP 2010 Update
Rollup 1 files.
In the Command Prompt window
type FEP2010-Update-KB2554364x64-ENU.EXE and then press Enter
Important: Once this hotfix is
installed, it CANNOT be uninstalled
On the Welcome to Reporting
Update Setup Wizard page, click
Next
Page 36 of 71

software license terms and then
click Next
On the Setup Summary page, click

Install
On the Installation page, verify that

the installation completed successfully
and then click Next
On the Installation Complete page,

click Finish
Then restart the machine
Page 37 of 71
Extracting the FEP2010 Update Rollup installation files

administrative privileges and change
your directory to where you have
downloaded the FEP 2010 Update
Rollup 1 files.
In the Command Prompt window
type FEP2010-Update-RollupKB2551095-x64-ENU.EXE and then
press Enter
In the Choose Directory for
Extracted Files window, browse for a
location where you want to extract the
files and then click Ok
On the Extraction Complete

windows, click OK
Page 38 of 71
Installing the Update Rollup 1 on the Configuration Manager

Site server (FepExt)
On the Configuration Manager Site
Server, open Windows Explorer and
browse to the directory where you
extracted the FEP 2010 Update Rollup
1 installation files.
Double-click the FepExt folder and
then double-click the Setup.exe file.
On the Welcome to Update Rollup

1 Setup Wizard page, click Next

click Next
Page 39 of 71
On the Setup Summary page, verify

the installation options and then click
Install

and then click Next
On the Installation Complete, click

Finish
Page 40 of 71
Installing the Update Rollup 1 on the FEP 2010 Reporting

Server (FepReport)
On the Server where FEP 2010
Reporting is installed, open Windows
Explorer and browse to the directory
where you extracted the FEP 2010
Update Rollup 1 installation files.
Double-click the FepReport folder and


click Next
Page 41 of 71

Install

and then click Next

Finish.
Page 42 of 71
Installing the Update Rollup 1 on the FEP 2010 Console

machines (FepUx)
On the machines where the FEP 2010
Console is installed, open Windows
Explorer and browse to the directory
where you extracted the FEP 2010
Update Rollup 1 installation files.
Double-click the FepUx folder and


click Next
Page 43 of 71

Install

and then click Next

Finish
Page 44 of 71
Deploying the FEP 2010 Update Rollup 1 to Clients

A new version of the Configuration
Manager FEP Deployment package
is installed as part of the FEP 2010
Update Rollup 1 update.
Because of the new package, all
computers installed with earlier
versions of the FEP client software will
be members of the Out of Date FEP
collection.
In the Configuration Manager

console, expand System Center
Configuration Manager, Site
Database, Computer Management
and Software Distribution.
Then click on the Advertisements
node
Right-click the FEP 2010 Client
installation advertisement and choose
Properties
Page 45 of 71
In the Name-of-advertisement window,

click on the Schedule tab and then in
the Program rerun behavior box,
select Always run program
Click on OK
Back in the Configuration Manager

Console, right-click the FEP 2010 Client
installation advertisement and choose
Re-run Advertisement
In the Re-run Advertisement
window, click Yes
Refresh policy on the FEP 2010 clients

or wait for the policy refresh to
automatically occur.
Then check the FEP 2010 client status
in the Configuration Manager Console
by clicking on the Forefront Endpoint
Protection node under System
Center Configuration Manager,
Site Database and Computer
Management
Page 46 of 71
Configuring Configuration Manager 2007 SUP to

distribute FEP definition updates to your FEP 2010
clients
Microsoft Forefront Endpoint Protection 2010 Update Rollup 1 includes the Definition
Update Automation tool. This tool enables you to use Configuration Manager 2007
software update points (SUP) to distribute FEP definition updates to your FEP clients.
To configure your environment to use the Definition Update Automation tool, it must
first be downloaded and copied to the Configuration Manager software update point.
The Definition Update Automation tool (fepsuasetup.cab) can be downloaded from
here: http://www.microsoft.com/download/en/details.aspx?id=26613
On your Configuration Manager

SUP, in the location to which you
copied the fepsuasetup.cab file,
double-click the fepsuasetup.cab
file and right-click on the
SoftwareUpdateAutomation.ex
e file and chose extract. Browse to
one of the following locations,
depending on your OS architecture:
X86:
% P rogram Files% \Microsoft

Configuration
Manager\AdminUI\bin
X64:
% P rogram Files(x86)% \Micros

oft Configuration
Manager\AdminUI\bin
The click Extract

In the File Download Security
Warning dialog, click Save
Page 47 of 71

Database, Site Management,
SiteCode SiteNam e , Site Settings
and then click the Component
Configuration node.
In the details pane of the console,
right-click the Software Update
Point Component and select
Properties
In the Software Update Point
Component Properties window, click
on the Classifications tab and select
the checkbox next to Definition
updates
Page 48 of 71
Still in the Software Update Point

Component Properties window, click
on the Products tab.
Scroll down to the Forefront group
and select the checkbox next to
Forefront Endpoint Protection
2010 and then click apply OK

console, expand Site Database,
Computer Management and
Software Updates
Then right-click the Update
Repository node and select Run
Synchronization
In the Run Update Synchronization

dialog box, select Yes
Page 49 of 71
The WSUS synchronization process can

be monitored by opening the
wsyncmgr.log file on the
Configuration Manager site server
Wait for the WSUS synchronization to
complete before continuing with the
next steps
Still in the Configuration Manager

console, expand the Update
Repository node and right-click it and
select Refresh
Then expand Definition Updates and
Microsoft and then click on the
2010 node.
In the details pane, click Definition
for Microsoft Forefront Endpoint
Protection 2010 and then select
Download Software Updates
On the Deployment Package page,

select Create a new deployment
package and fill in the following
information:
Name: FEP2010_DefUpdates
Description: Definition Updates for
2010
Package source:
\\sccmkbh\FEPDefUpdates
Then click Next
Note:
The share for the Package source
must be created manually prior to
Page 50 of 71
completing this task.

On the Distribution Points page,
click Browse and in the Add
Distribution Points dialog box
expand the CEN (Site code) Node.
Then select the distribution points, i.e.
SCCMKBH and
sccmkbh\sccm_dp$, and then click
OK
Back on the Distribution Points
page, verify that the selected
distribution points are listed and then
click OK and Next
On the Data Access page, click Next
On the Distribution Settings page,

click Next
Page 51 of 71
On the Download Location, select

Download software updates from
the Internet and then click Next
On the Language Selection page,

select English and then click Next
On the Summary page, verify the

chosen options and then click Next
Note: Wait for the download to
complete
Page 52 of 71
On the Wizard Completed page,

verify that the Download Updates
Wizard completed successfully and
then click Close

console; in the details pane, click
Definition for Microsoft Forefront
Endpoint Protection 2010 and
then select Deploy Software
Updates
On the General page, in the Name
field type FEP2010_DefUpdates and
then click Next
Page 53 of 71
On the Deployment Template page,

select Create a new deployment
template and then click Next
On the Collection page, click Browse

and in the Browse Collection dialog
box, select the target collection for the
FEP 2010 Definition Updates, i.e. Test,
and then click OK
Back on the Collection page, verify
that the selected collection is listed and
then click Next
On the Display/Time Settings page,

select the following settings:
Suppress display notifications on
clients
Client Local time
Duration: 2 Hours
Then click Next
Page 54 of 71
On the Restart Settings page, select

the appropriate settings and click Next
On the Event Generation page, select

the appropriate settings and click Next
On the Update Binary Download

ConfigMgr Client Settings page,
select the following settings:
distribution point and install
unprotected distribution point and
install
Then click Next
Page 55 of 71
On the Create Template page, select

Save deployment properties as a
template and in the Template name
field type FEP 2010 Definition
Updates
Then click Next
On the Deployment Package page,

click Browse and in the Select a
Package dialog box, select the
package for the FEP 2010 Definition
Updates created earlier, i.e.
FEP2010_DefUpdates, and then
click OK
Back on the Deployment Package
page, verify that the selected package
is listed and then click Next
On the Download Location page,

select Download software updates
from the Internet and then click
Next
Note: Because all the required
software updates have already been
downloaded, the files will only be
validated and not downloaded again.
Page 56 of 71
On the Language Selection page,

select English and then click Next
On the Deployment Schedule page,

select As soon as possible and then
click Next

Note: Wait for the Wizard to complete
Page 57 of 71

verify that the Deploy Software
Updates Wizard completed
successfully and then click Close
Page 58 of 71
Configuring FEP 2010 clients to use Configuration Manager as

the primary source for definition updates
Configuration Manager, Computer
Management and Forefront
Endpoint Protection
Then click on the Policies node
Right-click the policy, i. e. ConfigMgr
Server Policy (Coretech), and select
Properties
In the Nam e-of-the-policy

Properties window, i.e. ConfigMgr
Server Policy (Coretech)
Properties, click on the Updates tab
Page 59 of 71
On the Updates tab in the Nam e-ofthe-policy Properties window, i.e.

(Coretech) Properties, select Use
Configuration Manager as the
primary source for definition
updates check box
Under the Use the following section
to configure alternative sources
heading, in the Every (hours) field,
change the value to 6
Under the Clients will pull updates
from the selected heading,
configure the order in which clients will
pull updates according to your needs
Then click OK
Repeat the above steps for all your FEP
2010 policies where you want to use
Configuration Manager as the primary
source for definition updates
Page 60 of 71
Configuring the FEP 2010 Definition Update Automation

tool
The following two sections describe how to configure the FEP 2010 Definition Update
Automation tool (softwareupdateautomation.exe):
Task Scheduler (Method 1)
Configuration Manager Status Filter Rules (Method 2)
The FEP 2010 Definition Update Automation tool (softwareupdateautomation.exe) will

automatically check for new FEP 2010 definitions updates against the WSUS server and
download these. It will then update your existing FEP 2010 definition updates Deployment
Package and Deployment and refresh your distribution points.
In order for this to work properly the WSUS server needs to synchronize regularly with
Windows update in order to obtain knowledge of the new FEP 2010 definitions. That is the
reason why both methods use the Event ID 6702 as a trigger to execute the
softwareupdateautomation.exe file.
You must only use one of the described methods when configuring the FEP 2010 Definition
Update Automation tool.
Page 61 of 71
Automating the execution of the FEP 2010 Definition

Update Automation tool using Task Scheduler (Method
1)
On your Configuration Manager
SUP, click Start, type task
scheduler and then press Enter
In the Task Scheduler window, in the

menu bar, click Action and select
Create Task
Page 62 of 71
In the Create Task window on the

General tab, configure the following
settings:
Name: FEP_Update_Tool
Description: This task will run the
Definition Update Automation tool
for FEP 2010 updates every 1 hour
Run whether user is logged on or
not
Then click on the Actions tab
Note: The user account used to run
this task must have the appropriate
Configuration Manager permissions to
update the definition package and
definition assignment specified in the
command line
On the Actions tab, click New
Page 63 of 71
In the New Action window, click

Browse and browse to one of the
following two locations, depending
on your OS architecture:
X86:

Configuration
Manager\AdminUI\bin
X64:

oft Configuration
Manager\AdminUI\bin
Then select the

SoftwareUpdateAutomation.ex
e file and click Open
Still in the New Action window,
type the following information in the
Add arguments (optional) field:
/AssignmentName
Deploym ent /PackageName
P ackage / R efreshDP
Where Deploym ent is the name of
the software deployment for the
definitions, and Package is the name
of the software package that contains
the definitions
i.e.
/AssignmentName
FEP2010_DefUpdates
/PackageName FEP2010
DefUpdates /RefreshDP
Then click OK
Page 64 of 71
Click on the Triggers tab and then

click New
In the New Trigger dialog box, under

Advanced settings, select the check
box for Repeat task every, in the list
click 1 hour, and then next to for a
duration of, click Indefinitely
Then click OK
Still on the Triggers tab, Click New
Page 65 of 71
In the New Trigger dialog box, in the

Begin the task field, select On an
event
Under Settings, select the following
from the drop-down box:
Log: Application
Source: SMS Server
In the Event ID field type 6702
Under Advanced settings, ensure
that the Enabled check box is selected
Then click OK twice
In the Task Scheduler password
dialog box, type in the password of the
user account which the task sequence
runs under, then click OK and close
the Task Scheduler
Page 66 of 71
Automating the execution of the FEP 2010 Definition

Update Automation tool using Configuration Manager
Status Filter Rules (Method 2)
Database, <Sitecode - Site
name>, Site Settings
Then right-click the Status Filter
Rules node and select New Status
Filter Rule
On the General page of the New
Status Filter Rule Wizard, type a
name for the new Status Filter Rule,
i.e. FEP 2010 definition update
automation tool
Then select the following fields and
information from the drop-down boxes:
Source: ConfigMgr Server
Component:
SMS_WSUS_SYNC_MANAGER
Message ID: 6702
Then click Next
On the Actions page, select Run a

program, and in the Program
field, type the following information:
i.e.
"D:\Program Files
(x86)\Microsoft Configuration
Manager\AdminUI\bin\Softwa
reUpdateAutomation.exe"
/AssignmentName
"FEPDefUpdates"
/PackageName
"FEPDefUpdates" /RefreshDP
The location of the
Softwareupdateautomation.exe
Page 67 of 71
tool is dependent on your OS

architecture:
X86:

Configuration
Manager\AdminUI\bin
X64:

oft Configuration
Manager\AdminUI\bin
Then click Next


verify that the New Status Filter
Wizard completed successfully and
then click Close
Page 68 of 71
Testing the FEP 2010 Definition Update Automation tool

console, expand Site Database,
Computer Management and
Software Updates
Then right-click the Update
Repository node and select Run
Synchronization
In the Run Update Synchronization

dialog box, select Yes
The WSUS synchronization process can

be monitored by opening the
wsyncmgr.log file on the
Configuration Manager site server
Wait for the WSUS synchronization to
complete before continuing with the
next steps
Page 69 of 71
Open the Task Scheduler and click

on the Task Scheduler Library in the
left pane.
Then click on the task in the details
pane that you created earlier, i.e.
FEP_Update_Tool
Still in the details pane of the Task

Scheduler, click on the History tab
and verify that the task was trigger by
the 6702 event.
Open the Event Viewer, expand

Windows Logs and then click on
Application.
In the details pane, scroll down until
you find 6702 under the Event ID
column
Click on the event and verify the
information about this event on the
General tab in the lower part of the
details pane
Then close the Event Viewer
Page 70 of 71
Browse to %programdata%, i.e.

C:\ProgramData, and open the
SoftwareUpdateAutomation.log
file. Look for errors and warnings in the
log file.
You will see something similar to the
message below:
SmsAdminUISnapIn Error 0 :
(SMS_PackageToContent
ContentOD=7861,PackageID=CEN00013).Is
ContentValid returns true. We wont
download the content again.
This basically means that the FEP 2010

definitions downloaded are up-to-date
and there is no need to download them
again. So it isnt an error for now.
Scroll down to the end of the
SoftwareUpdateAutomation.log
file. Look for something similar to the
message below:
SmsAdminUISnapIn Information: 1:SCF
session handle {4dc4531e-96f0-4d9ca990-068100636609} has successfully
released
This means that the Definition

Update Automation tool has
released the Deployment and
Package used for FEP2010 Definition
Updates and that the automatic update
process is working correctly
Page 71 of 71

Forefront Endpoint Protection 2010 Installation and Configuration Guide For Configuration Manager 2007 v1.4

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Forefront Endpoint Protection 2010 Installation and Configuration Guide For Configuration Manager 2007 v1.4

Hochgeladen von

Copyright:

Verfügbare Formate

Forefront Endpoint Protection 2010 installation

and configuration guide for Configuration

Kent Agerlund &

Written by Kent Agerlund and Michael Buchardt, Coretech A/S

Reason for change

Kent Agerlund &

Added information about FEP 2010 Update 1

Configuration Manager Site Topologies and FEP 2010

Create or modify Forefront Endpoint Protection policies

Assign Forefront Endpoint Protection policies to collections

Deploy Forefront Endpoint Protection clients to collections

Monitor Forefront Endpoint Protection via the Forefront Endpoint Protection

Configure Forefront Endpoint Protection alerts

Assign the Forefront Endpoint Protection Desired Configuration Management

Centralized policy control and centralized FEP administration

Centralized policy control and decentralized FEP administration

Decentralized policy control and decentralized FEP administration

Centralized policy control and centralized FEP administration

Deploy FEP clients to collections

Centralized policy control and decentralized FEP administration

Deploy FEP clients to collections

Decentralized policy control and decentralized FEP

Connected to the parent

Connected to the child

Deploy FEP clients to

Decentralized policy control and FEP administration with

Connected to the parent

Connected to the child

Deploy FEP clients to

Installing SQL 2008 R2 requirements

In the Programs and Features window,

In the SQL Server 2008 R2 dialog box,

In the SQL Server Installation Center,

On the Setup Support Rules page, click

On the Setup Support Files page, click

On the Setup Support Rules page, click

On the Installation Type page, select

On the Feature Selection page, select

On the Installation Rules page, click

On the Disk Space Requirements page,

On the Server Configuration page,

In the Use the same account for all

On the Analysis Services

On the Reporting Services page, verify

On the Error Reporting page, click Next

On the Installation Configuration

On the Ready to Install page, verify

On the Complete page, verify that the

Preparing the Site server for the FEP 2010 installation

On the End-User License Agreement

On the Ready to Install page, click

On the Completing the Software

Installing FEP 2010

On the Microsoft Software License

On the Installation Options page, select

On the Reporting Configuration page,

On the Microsoft SpyNet Policy

On the Installation Location page,

On the Prerequisites Verification page,

On the Setup Summary page, verify the

On the Installation page, verify that the

On the Installation Complete page,

Collections\Deployment Status\Deployment Succeeded\Deployed Servers