forefront endpoint protection 2010 installation and configuration guide for configuration manager...
DESCRIPTION
Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4TRANSCRIPT
Written by Kent Agerlund and Michael Buchardt, Coretech A/S Page 1 of 71
Forefront Endpoint Protection 2010 installation and configuration guide for Configuration
Manager 2007
Author:
Kent Agerlund & Michael Buchardt
Create date: 19/04-2011 Change date: 16/10-2011 Document version no.: 1.4
Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4.docx Page 2 of 71
Document information
History
Date Author Version Reason for change
19/04-2011 Kent Agerlund & Michael Buchardt
1.0 N/A
05/07-2011 Kent Agerlund & Michael Buchardt
1.2 Added information about FEP 2010 Update 1 Rollup (installation and configuration)
15/10-2011 Michael Buchardt 1.3 Added information about installing Reporting Services, Analysis Services and Integration Services for SQL Server 2008 R2
16/10-2011 Kent Agerlund 1.4 Minor changes, added policy template information.
Proof readers
Name Version Date of approval
Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4.docx Page 3 of 71
Table of contents
Document information .................................................................................................... 2 History ....................................................................................................................... 2 Proof readers .............................................................................................................. 2
Table of contents ........................................................................................................... 3 Configuration Manager Site Topologies and FEP 2010 ........................................................ 4 Single-Site Deployment ................................................................................................... 4
Centralized policy control and centralized FEP administration .......................................... 6 Centralized policy control and decentralized FEP administration ....................................... 8 Decentralized policy control and decentralized FEP administration ................................. 11 Decentralized policy control and FEP administration with centralized FEP reporting ......... 13
Installing SQL 2008 R2 requirements ............................................................................. 15 Preparing the Site server for the FEP 2010 installation ..................................................... 21 Installing FEP 2010 ....................................................................................................... 23 Templates ................................................................................................................... 26
Template settings ..................................................................................................... 26 Changes made to the default template settings ........................................................... 26
Common settings for all templates .......................................................................... 26 Common settings for all server policies .................................................................... 27 Default desktop ..................................................................................................... 27 ConfigMgr Server Policy .......................................................................................... 28
Alerts .......................................................................................................................... 29 Reports ....................................................................................................................... 31 DCM Settings ............................................................................................................... 31 Configure WSUS to automatically approve FEP 2010 definition updates ............................. 32 FEP 2010 Update Rollup 1 information ........................................................................... 35 Installing FEP 2010 Update Rollup 1 ............................................................................... 36
Installing the KB2554364 hotfix on the FEP reporting server ......................................... 36 Extracting the FEP2010 Update Rollup installation files ................................................. 38 Installing the Update Rollup 1 on the Configuration Manager Site server (FepExt) .......... 39 Installing the Update Rollup 1 on the FEP 2010 Reporting Server (FepReport) ................ 41 Installing the Update Rollup 1 on the FEP 2010 Console machines (FepUx) .................... 43
Deploying the FEP 2010 Update Rollup 1 to Clients ......................................................... 45 Configuring Configuration Manager 2007 SUP to distribute FEP definition updates to your FEP 2010 clients ................................................................................................................. 47
Configuring FEP 2010 clients to use Configuration Manager as the primary source for definition updates ..................................................................................................... 59
Configuring the FEP 2010 Definition Update Automation tool............................................ 61 Automating the execution of the FEP 2010 Definition Update Automation tool using Task Scheduler (Method 1) ................................................................................................... 62 Automating the execution of the FEP 2010 Definition Update Automation tool using Configuration Manager Status Filter Rules (Method 2) ..................................................... 67 Testing the FEP 2010 Definition Update Automation tool ................................................. 69
Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4.docx Page 4 of 71
Configuration Manager Site Topologies and FEP 2010
You can deploy Forefront Endpoint Protection 2010 (FEP) to a Configuration Manager stand-alone (single) site or to a hierarchical site environment. Installation of Forefront Endpoint Protection on secondary sites is not supported.
Single-Site Deployment
In a single-site Configuration Manager deployment, Forefront Endpoint Protection is installed on the Configuration Manager site server. Configuration Manager administrators can perform the following tasks from the Configuration Manager console:
• Create or modify Forefront Endpoint Protection policies
• Assign Forefront Endpoint Protection policies to collections
• Deploy Forefront Endpoint Protection clients to collections
• Monitor Forefront Endpoint Protection via the Forefront Endpoint Protection
dashboard
• Configure Forefront Endpoint Protection alerts
• Assign the Forefront Endpoint Protection Desired Configuration Management
configuration baselines to collections
Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4.docx Page 5 of 71
Hierarchical Deployment In a hierarchical Configuration Manager deployment, a parent site has one or more attached child sites in the hierarchy. A parent site contains pertinent information about its child sites, and it can control many operations at the child sites. A site that has no parent site is known as a central site.
Depending on the needs and requirements of an organization, you can deploy Forefront Endpoint Protection to achieve the following scenarios:
• Centralized policy control and centralized FEP administration
• Centralized policy control and decentralized FEP administration
• Decentralized policy control and decentralized FEP administration
• Decentralized policy control and FEP administration with centralized FEP reporting
Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4.docx Page 6 of 71
Centralized policy control and centralized FEP administration
In this scenario, administrators at the Configuration Manager parent site control the configuration and administration of Forefront Endpoint Protection. Administrators at the parent site are responsible for policy management and day-to-day monitoring of Forefront Endpoint Protection. Administrators at the child sites can deploy the Forefront Endpoint Protection client software to collections in the child site and assign FEP policies, but have limited ability to monitor the progress of the FEP client software and policy deployments.
To implement this scenario, install Forefront Endpoint Protection only on the primary parent site.
Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4.docx Page 7 of 71
The following table lists the tasks that can be accomplish when Forefront Endpoint Protection is installed on the parent primary site only.
Task Connected to the parent site
Connected to the child sites
Deploy FEP clients to collections Yes Yes Create or modify FEP policies Yes No Assign FEP policies to collections Yes Yes Monitor FEP client deployment and policy deployment progress
Yes Limited
Monitor FEP via the FEP dashboard Yes No FEP reporting Yes No Configure FEP alerts Yes No FEP Operations Yes Limited
Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4.docx Page 8 of 71
Centralized policy control and decentralized FEP administration
In this scenario, FEP policies are managed centrally at the parent site, but the administrators at the child sites are responsible for the deployment and day-to-day management of FEP. Administrators at the child sites can view the Forefront Endpoint Protection policies, but cannot create, modify, or delete a policy.
To implement this scenario, you must install Forefront Endpoint Protection on both the primary parent site and the primary child sites.
Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4.docx Page 9 of 71
The following table lists the tasks that you can accomplish when Forefront Endpoint Protection is installed on the parent site and child sites.
Task Connected to the parent site
Connected to the child sites
Deploy FEP clients to collections Yes Yes Create or modify FEP policies Yes No Assign FEP policies to collections Yes Yes Monitor FEP client deployment and policy deployment progress
Yes Yes
Monitor FEP via the FEP dashboard Yes Yes FEP reporting Yes Yes Configure FEP alerts Yes Yes FEP Operations Yes Yes
Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4.docx Page 10 of 71
Important:
At a child site, there are two FEP – Deployment packages, one from the parent site and one from the child site. When deploying the Forefront Endpoint Protection client software from the child site, you must deploy by using the software package from the parent site. The first three letters of the software package Package ID indicate from which site the software package originates.
When you install Forefront Endpoint Protection on the child site first, and then install Forefront Endpoint Protection on the parent site, the FEP – Policies package on the client site is disabled, and the FEP – Policies package from the parent site is propagated to the child site. Policies created on the child site no longer exist. It is recommended that you export the policies from the child site before you install Forefront Endpoint Protection on the parent site. After installing Forefront Endpoint Protection on the parent site, you can import the policies on the parent site.
Uninstalling Forefront Endpoint Protection on the parent site while Forefront Endpoint Protection is also installed on child sites disrupts Forefront Endpoint Protection functionality of the child sites. Repair the Forefront Endpoint Protection installation on each child site after Forefront Endpoint Protection is uninstalled from the parent site.
FEP clients deployed at the child sites appear only in the following Client Deployment Status categories at the parent site:
• Deployed
• Out of date
The reason for this is that the information for these categories is based on Configuration Manager hardware inventory data that the parent site receives from the child sites.
The information for the following deployment categories is based on the Configuration Manager advertisements: Removed, Failed, and Pending. Because the parent site cannot see the advertisements created at a child site, deployment information for these categories is not displayed at the parent site. You can view the full deployment status for deployed FEP client software at the child site.
Policy distribution status for FEP policies assigned to collections at a child site can take up to 24 hours to display at the parent site.
Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4.docx Page 11 of 71
Decentralized policy control and decentralized FEP administration
In this scenario, the FEP policies are managed independently at each of the child sites, and the child site administrators are responsible for the deployment and day-to-day management of Forefront Endpoint Protection. Site administrators can share policies by exporting and importing Forefront Endpoint Protection policies from one site to another. Tasks performed on a child site only affect the devices of that child site
To implement this scenario, install Forefront Endpoint Protection in primary child sites only.
Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4.docx Page 12 of 71
Important:
Do not install Forefront Endpoint Protection on the parent site because this disables the existing policies on the child sites and enables the following scenarios, Centralized policy control and decentralized FEP administration.
The following table lists the tasks that you can accomplish when Forefront Endpoint Protection is installed at the child sites only.
Task Connected to the parent site
Connected to the child sites
Deploy FEP clients to collections
No Yes
Create or modify FEP policies No Yes Assign FEP policies to collections
No Yes
Monitor FEP via the FEP dashboard
No Yes
FEP reporting No Yes Configure FEP alerts No Yes FEP Operations No Yes
Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4.docx Page 13 of 71
Decentralized policy control and FEP administration with centralized FEP reporting
This scenario is very similar to the Decentralized policy control and FEP administration scenario, and in addition, provides centralized organization-wide reporting.
In this scenario, FEP policies are managed independently at each of the child sites, and the child site administrators are responsible for the deployment and day-to-day management of FEP. Site administrators can share policies by exporting and importing Forefront Endpoint Protection policies from one site to another.
To implement this scenario, install Forefront Endpoint Protection on primary child sites and install only FEP reporting on the primary parent site.
Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4.docx Page 14 of 71
Important:
Do not install full Forefront Endpoint Protection on the parent site, because this disables the existing policies on the child sites and enables the following scenarios, Centralized policy control and decentralized FEP administration.
The following table lists the Forefront Endpoint Protection tasks that you can accomplish when Forefront Endpoint Protection is installed at the child sites only.
Task Connected to the parent site
Connected to the child sites
Deploy FEP clients to collections
No Yes
Create or modify FEP policies No Yes Assign FEP policies to collections
No Yes
Monitor FEP via the FEP dashboard
No Yes
FEP reporting Yes Yes Configure FEP alerts Yes Yes FEP Operations No Yes
Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4.docx Page 15 of 71
Installing SQL 2008 R2 requirements
Click Start and type Programs and then press Enter
In the Programs and Features window, select Microsoft SQL Server 2008 R2 (64 bit) and then click Uninstall/Change Note: Make sure your SQL 2008 R2 installation media is inserted into you DVD drive
In the SQL Server 2008 R2 dialog box, click Add and wait for the SQL Server 2008 R2 installation to start
Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4.docx Page 16 of 71
In the SQL Server Installation Center, click Installation and then select New installation or add features to an existing installation
On the Setup Support Rules page, click Show details and verify that all the rule checks show passed. Then click OK
On the Setup Support Files page, click Install
Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4.docx Page 17 of 71
On the Setup Support Rules page, click Show details and verify that all the rule checks show passed. Then click Next
On the Installation Type page, select Add features to an existing instance of SQL Server 2008 R2 and click Next
On the Feature Selection page, select Analysis Services, Reporting Services and Integration Services and then click Next
Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4.docx Page 18 of 71
On the Installation Rules page, click Show details and verify that all the rule checks show passed. Then click Next
On the Disk Space Requirements page, verify that there is enough available disk space for the selected features and then click Next
On the Server Configuration page, select Use the same account for all SQL Server Services Note: A separate domain account should be used for each SQL Server service
In the Use the same account for all SQL Server 2008 R2 Services windows, click the drop-down arrow and select NT AUTHORITY\SYSTEM. Then click OK Back on the Server Configuration page, click Next
Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4.docx Page 19 of 71
On the Analysis Services Configuration page, select Add Current User and then click Next Note: The users added here will have unrestricted access to Analysis Services
On the Reporting Services page, verify that Install, but do not configure the report server is selected and click Next
On the Error Reporting page, click Next
Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4.docx Page 20 of 71
On the Installation Configuration Rules page, click Show details and verify that all the rule checks show passed. Then click Next
On the Ready to Install page, verify your selections and then click Install
On the Complete page, verify that the installation completed successfully and then click Close
Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4.docx Page 21 of 71
Preparing the Site server for the FEP 2010 installation
Open a Command Prompt with administrative privileges and change your directory to where you have the FEP 2010 installation files. In the Command Prompt window type SCCM2007-SP2-KB2271736-ENU.msi and then press Enter Important: This hotfix is required on all administrator consoles.
On the Welcome to… page, click Next
On the End-User License Agreement page, select I accept the terms in the License Agreement and then click Next
Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4.docx Page 22 of 71
On the Ready to Install page, click Install
On the Completing the Software… page, click Finish
Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4.docx Page 23 of 71
Installing FEP 2010
Open a Command Prompt with administrative privileges and change your directory to where you have the FEP 2010 installation files. In the Command Prompt window type Serversetup.exe and then press Enter Important: You should run Serversetup.exe from either the x86 or x64 subdirectory depending on you OS architecture.
On the Welcome to Forefront Endpoint Protection 2010 Server Setup Wizard page, type company name and organization in the Name and Organization fields. Then click Next.
On the Microsoft Software License Terms page, select I accept the software license terms and then click Next
On the Installation Options page, select Basic topology and click Next.
Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4.docx Page 24 of 71
On the Reporting Configuration page, fill in the following information: User name (domain\user): Use the account used for SQL RS i.e. petfood\SCCMSVCsqlrs Password: Fill in the password for the account. Then click Next
On the Updates and Customer Experience Options page, select Use Microsoft Updates to keep my products up to date and then click Next.
On the Microsoft SpyNet Policy Configuration page, select Join Microsoft Spynet and Advanced membership and click Next.
On the Installation Location page, accept the default installation location, C:\Program Files\Microsoft Forefront and click Next.
Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4.docx Page 25 of 71
On the Prerequisites Verification page, verify that all prerequisite checks have a status of successful and then click Next.
On the Setup Summary page, verify the chosen installation options and then click Install
On the Installation page, verify that the installation completed successfully and then click Next
On the Installation Complete page, click Finish
Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4.docx Page 26 of 71
Templates
The product ships with several default templates. Template name Target collection Default workstation FEP Collections\Deployment Status\Deployment Succeeded\Deployed Servers Default server FEP Collections\Deployment Status\Deployment Succeeded\Deployed Desktops Mail Server policy FEP Collections\FEP Policies (Folder)\FEP Mail Server ConfigMgr Server Policy FEP Collections\FEP Policies (Folder)\FEP ConfigMgr Server OpsMgr Server Policy FEP Collections\FEP Policies (Folder)\FEP OpsMgr Server File Server Policy FEP Collections\FEP Policies (Folder)\FEP File Server Domain Controller Server Policy
FEP Collections\FEP Policies (Folder)\FEP Domain Controller Server
SharePoint Server Policy FEP Collections\FEP Policies (Folder)\FEP SharePoint Server SQL Server Policy FEP Collections\FEP Policies (Folder)\FEP SQL Server
Template settings
All default settings are documented on TechNet - http://technet.microsoft.com/en-us/library/gg477039.aspx
Changes made to the default template settings Below are some example settings that we configured for our clients and Configuration Manager Server (with a local SQL installation). Below settings are in no way the only correct settings, all policy settings must be discussed internally and match the security policy of the organization.
Common settings for all templates
Exclusions • %windir%\system32\CCM • %windir%\SYSwow64\CCM
Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4.docx Page 27 of 71
Windows Firewall • Manager Windows firewall disabled
Common settings for all server policies
Scheduled scans
Default desktop
Scheduled scans • Weekly scan, Friday 09:00 AM
Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4.docx Page 28 of 71
Advanced • Enabled Scan removable storage
devices such as USB flash drives
ConfigMgr Server Policy
Excluded Processes • %ProgramFiles%\Microsoft SQL
Server\MSSQL.1\MSSQL\Binn\SQLServr.exe
• ProgramFiles%\Microsoft SQL Server\MSSQL.3\Reporting Services\ReportServer\Bin\ReportingServicesService.exe
• %ProgramFiles%\Microsoft SQL Server\MSSQL.2\OLAP\Bin\MSMDSrv.exe"
On the Microsoft Technet Wiki - http://social.technet.microsoft.com/wiki/contents/articles/953.aspx you can find an updated list of recommended Anti-Virus exclusions for Windows Server. This list includes among others: Windows, Active Directory, Cluster, Forefront, FRS, SQL, IIS, DHCP, SCOM, ConfigMgr, Hyper-V, Exchange, Sharepoint, Med-V and App-V
Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4.docx Page 29 of 71
Alerts
Email settings
Malware Detection Alerts A mail will be send whenever a computer has a detected malware. Mail
Forefront Endpoint Protection has detected malware on a computer in your organization. Detection time (UTC): 4/20/2011 10:55:58 AM Computer name: client1.petfood.local Malware name: HackTool:Win32/Mailpassview To view more information about malware activity in your organization, run a Computer List Report. Note: No additional Malware Detection alerts will be generated for this computer for the next 24 hours.
Malware Outbreak Alert properties A mail will be send if more than 5 computers have the same malware detected. Mail
Forefront Endpoint Protection has detected a fast spreading malware on computers in your organization. Malware name: HackTool:Win32/Mailpassview Number of computers affected: 6 Detection interval (minutes): 0 To view more information about malware activity in your organization, run an Antimalware Activity Report. Note: No additional Malware Outbreak alerts will be generated for this malware for the next 24 hours.
Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4.docx Page 30 of 71
Repeated Malware Detection Alert A mail will be send if the same malware is detected 4 times within 24 on a single computer.
New Multiple Malware Destination Alert A mail will be send if multiple malware is detected within 24 on a single computer.
Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4.docx Page 31 of 71
Reports
All reports are accessible from http://servername/reports.
DCM Settings
Forefront Clients use desired configuration management to update status information in Configuration Manager. By default 4 Configuration baselines are created and applied to specific collections. Baselines written in bold are non-default baselines. Baseline Applied Collection Schedule FEP Monitoring – Antimalware Status FEP Collections\Deployment
Status\Deployment Succeeded FEP Collections\Deployment Status\out of date
Daily
FEP Monitoring – Definitions and Health Status
FEP Collections\Deployment Status\Deployment Succeeded FEP Collections\Deployment Status\out of date
Daily
FEP Monitoring – Malware Activity FEP Collections\Deployment Status\Deployment Succeeded FEP Collections\Deployment Status\out of date
Daily
FEP Monitoring – Malware Detections FEP Collections\Deployment Status\Deployment Succeeded FEP Collections\Deployment Status\out of date
Daily
FEP – Standard Desktop FEP Collections\Deployment Status\Deployment Succeeded\Deployed Desktops
Daily
Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4.docx Page 32 of 71
Configure WSUS to automatically approve FEP 2010 definition updates
Important: If you install FEP 2010 Update Rollup 1 and configure your environment to use Configuration Manager as the primary source for your FEP 2010 Definition Updates, you should not perform the step detailed in this section.
Open the WSUS administrator console.
Select Synchronization schedule and configure 6 synchronizations pr. Day. Click OK
Click Automatic Approvals.
Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4.docx Page 33 of 71
Create a new rule that will automatically approve all definition updates. Select When an update is in a specific classification.
Click on the any classification link. Make sure you only select Definition updates. Click OK
Select When an update is in a specific product.
Select Forefront Endpoint Protection 2010 and click OK.
Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4.docx Page 34 of 71
Type FEP definitions as the name and click OK (twice).
Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4.docx Page 35 of 71
FEP 2010 Update Rollup 1 information
The following list is a summary of the updates in FEP 2010 Update Rollup 1:
• FEP 2010 client support for the following Windows Embedded 7 client operating systems and Windows Server 2008 Core:
• Windows Embedded Standard 7 SP1
• Windows Embedded POSReady 7
• Windows ThinPC • Windows Server 2008 Server Core (x86 or x64)
• Support for enabling deployment of Forefront Endpoint Protection definition updates
through Configuration Manager 2007 software update point role
• Addition of two new preconfigured policy templates for Microsoft Forefront Threat
Management Gateway and Microsoft Lync 2010
• Various bug fixes
For a full list of added functionality and fixes, see
http://support.microsoft.com/kb/2551095
Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4.docx Page 36 of 71
Installing FEP 2010 Update Rollup 1
Download FEP 2010 Update Rollup 1 from here: http://www.microsoft.com/download/en/details.aspx?id=26583 Note: You must download the following “pair of files” depending on your server’s architecture. FEP2010-Update-KB2554364-x64-ENU.EXE FEP2010-Update-Rollup-KB2551095-x64-ENU.exe or FEP2010-Update-Rollup-KB2551095-x86-ENU.exe FEP2010-Update-KB2554364-x86-ENU.EXE
You must first install either the x86 or x64 version of the KB2554364 hotfix on the computer on which the FEP reporting feature is installed. Once this hotfix is installed, it cannot be uninstalled
Installing the KB2554364 hotfix on the FEP reporting server
Open a Command Prompt with administrative privileges and change your directory to where you have downloaded the FEP 2010 Update Rollup 1 files. In the Command Prompt window type FEP2010-Update-KB2554364-x64-ENU.EXE and then press Enter Important: Once this hotfix is installed, it CANNOT be uninstalled
On the Welcome to Reporting Update Setup Wizard page, click Next
Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4.docx Page 37 of 71
On the Microsoft Software License Terms page, select I accept the software license terms and then click Next
On the Setup Summary page, click Install
On the Installation page, verify that the installation completed successfully and then click Next
On the Installation Complete page, click Finish Then restart the machine
Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4.docx Page 38 of 71
Extracting the FEP2010 Update Rollup installation files
Open a Command Prompt with administrative privileges and change your directory to where you have downloaded the FEP 2010 Update Rollup 1 files. In the Command Prompt window type FEP2010-Update-Rollup-KB2551095-x64-ENU.EXE and then press Enter
In the Choose Directory for Extracted Files window, browse for a location where you want to extract the files and then click Ok
On the Extraction Complete windows, click OK
Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4.docx Page 39 of 71
Installing the Update Rollup 1 on the Configuration Manager Site server (FepExt)
On the Configuration Manager Site Server, open Windows Explorer and browse to the directory where you extracted the FEP 2010 Update Rollup 1 installation files. Double-click the FepExt folder and then double-click the Setup.exe file.
On the Welcome to Update Rollup 1 Setup Wizard page, click Next
On the Microsoft Software License Terms page, select I accept the software license terms and then click Next
Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4.docx Page 40 of 71
On the Setup Summary page, verify the installation options and then click Install
On the Installation page, verify that the installation completed successfully and then click Next
On the Installation Complete, click Finish
Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4.docx Page 41 of 71
Installing the Update Rollup 1 on the FEP 2010 Reporting Server (FepReport)
On the Server where FEP 2010 Reporting is installed, open Windows Explorer and browse to the directory where you extracted the FEP 2010 Update Rollup 1 installation files. Double-click the FepReport folder and then double-click the Setup.exe file.
On the Welcome to Update Rollup 1 Setup Wizard page, click Next
On the Microsoft Software License Terms page, select I accept the software license terms and then click Next
Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4.docx Page 42 of 71
On the Setup Summary page, verify the installation options and then click Install
On the Installation page, verify that the installation completed successfully and then click Next
On the Installation Complete, click Finish.
Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4.docx Page 43 of 71
Installing the Update Rollup 1 on the FEP 2010 Console machines (FepUx)
On the machines where the FEP 2010 Console is installed, open Windows Explorer and browse to the directory where you extracted the FEP 2010 Update Rollup 1 installation files. Double-click the FepUx folder and then double-click the Setup.exe file.
On the Welcome to Update Rollup 1 Setup Wizard page, click Next
On the Microsoft Software License Terms page, select I accept the software license terms and then click Next
Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4.docx Page 44 of 71
On the Setup Summary page, verify the installation options and then click Install
On the Installation page, verify that the installation completed successfully and then click Next
On the Installation Complete, click Finish
Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4.docx Page 45 of 71
Deploying the FEP 2010 Update Rollup 1 to Clients
A new version of the Configuration Manager FEP – Deployment package is installed as part of the FEP 2010 Update Rollup 1 update. Because of the new package, all computers installed with earlier versions of the FEP client software will be members of the Out of Date FEP collection.
In the Configuration Manager console, expand System Center Configuration Manager, Site Database, Computer Management and Software Distribution. Then click on the Advertisements
node
Right-click the FEP 2010 Client installation advertisement and choose Properties
Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4.docx Page 46 of 71
In the Name-of-advertisement window, click on the Schedule tab and then in the Program rerun behavior box, select Always run program Click on OK
Back in the Configuration Manager Console, right-click the FEP 2010 Client installation advertisement and choose Re-run Advertisement In the Re-run Advertisement window, click Yes
Refresh policy on the FEP 2010 clients or wait for the policy refresh to automatically occur. Then check the FEP 2010 client status in the Configuration Manager Console by clicking on the Forefront Endpoint Protection node under System Center Configuration Manager, Site Database and Computer Management
Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4.docx Page 47 of 71
Configuring Configuration Manager 2007 SUP to distribute FEP definition updates to your FEP 2010 clients
Microsoft Forefront Endpoint Protection 2010 Update Rollup 1 includes the Definition Update Automation tool. This tool enables you to use Configuration Manager 2007 software update points (SUP) to distribute FEP definition updates to your FEP clients.
To configure your environment to use the Definition Update Automation tool, it must first be downloaded and copied to the Configuration Manager software update point.
The Definition Update Automation tool (fepsuasetup.cab) can be downloaded from here: http://www.microsoft.com/download/en/details.aspx?id=26613
On your Configuration Manager SUP, in the location to which you copied the fepsuasetup.cab file, double-click the fepsuasetup.cab file and right-click on the SoftwareUpdateAutomation.exe file and chose extract. Browse to one of the following locations, depending on your OS architecture:
X86: % ProgramFiles% \Microsoft Configuration Manager\AdminUI\bin
X64: % ProgramFiles(x86)% \Microsoft Configuration Manager\AdminUI\bin The click Extract
In the File Download – Security Warning dialog, click Save
Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4.docx Page 48 of 71
In the Configuration Manager console, expand System Center Configuration Manager, Site Database, Site Management, SiteCode – SiteName, Site Settings and then click the Component Configuration node. In the details pane of the console, right-click the Software Update Point Component and select Properties
In the Software Update Point Component Properties window, click on the Classifications tab and select the checkbox next to Definition updates
Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4.docx Page 49 of 71
Still in the Software Update Point Component Properties window, click on the Products tab. Scroll down to the Forefront group and select the checkbox next to Forefront Endpoint Protection 2010 and then click apply OK
Back in the Configuration Manager console, expand Site Database, Computer Management and Software Updates Then right-click the Update Repository node and select Run Synchronization
In the Run Update Synchronization dialog box, select Yes
Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4.docx Page 50 of 71
The WSUS synchronization process can be monitored by opening the wsyncmgr.log file on the Configuration Manager site server Wait for the WSUS synchronization to complete before continuing with the next steps
Still in the Configuration Manager console, expand the Update Repository node and right-click it and select Refresh Then expand Definition Updates and Microsoft and then click on the Forefront Endpoint Protection 2010 node.
In the details pane, click Definition for Microsoft Forefront Endpoint Protection 2010… and then select Download Software Updates
On the Deployment Package page, select Create a new deployment package and fill in the following information: Name: FEP2010_DefUpdates Description: Definition Updates for Forefront Endpoint Protection 2010 Package source: \\sccmkbh\FEPDefUpdates Then click Next Note: The share for the Package source must be created manually prior to
Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4.docx Page 51 of 71
completing this task.
On the Distribution Points page, click Browse and in the Add Distribution Points dialog box expand the CEN (Site code) Node. Then select the distribution points, i.e. SCCMKBH and sccmkbh\sccm_dp$, and then click OK Back on the Distribution Points page, verify that the selected distribution points are listed and then click OK and Next
On the Data Access page, click Next
On the Distribution Settings page, click Next
Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4.docx Page 52 of 71
On the Download Location, select Download software updates from the Internet and then click Next
On the Language Selection page, select English and then click Next
On the Summary page, verify the chosen options and then click Next Note: Wait for the download to complete
Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4.docx Page 53 of 71
On the Wizard Completed page, verify that the Download Updates Wizard completed successfully and then click Close
Back in the Configuration Manager console; in the details pane, click Definition for Microsoft Forefront Endpoint Protection 2010… and then select Deploy Software Updates
On the General page, in the Name field type FEP2010_DefUpdates and then click Next
Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4.docx Page 54 of 71
On the Deployment Template page, select Create a new deployment template and then click Next
On the Collection page, click Browse and in the Browse Collection dialog box, select the target collection for the FEP 2010 Definition Updates, i.e. Test, and then click OK Back on the Collection page, verify that the selected collection is listed and then click Next
On the Display/Time Settings page, select the following settings: Suppress display notifications on clients Client Local time Duration: 2 Hours Then click Next
Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4.docx Page 55 of 71
On the Restart Settings page, select the appropriate settings and click Next
On the Event Generation page, select the appropriate settings and click Next
On the Update Binary Download – ConfigMgr Client Settings page, select the following settings: Download software updates from distribution point and install Download software updates from unprotected distribution point and install Then click Next
Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4.docx Page 56 of 71
On the Create Template page, select Save deployment properties as a template and in the Template name field type FEP 2010 Definition Updates Then click Next
On the Deployment Package page, click Browse and in the Select a Package dialog box, select the package for the FEP 2010 Definition Updates created earlier, i.e. FEP2010_DefUpdates, and then click OK Back on the Deployment Package page, verify that the selected package is listed and then click Next
On the Download Location page, select Download software updates from the Internet and then click Next Note: Because all the required software updates have already been downloaded, the files will only be validated and not downloaded again.
Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4.docx Page 57 of 71
On the Language Selection page, select English and then click Next
On the Deployment Schedule page, select As soon as possible and then click Next
On the Summary page, verify the chosen options and then click Next Note: Wait for the Wizard to complete
Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4.docx Page 58 of 71
On the Wizard Completed page, verify that the Deploy Software Updates Wizard completed successfully and then click Close
Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4.docx Page 59 of 71
Configuring FEP 2010 clients to use Configuration Manager as the primary source for definition updates
In the Configuration Manager console, expand System Center Configuration Manager, Computer Management and Forefront Endpoint Protection Then click on the Policies node
Right-click the policy, i. e. ConfigMgr Server Policy (Coretech), and select Properties
In the Name-of-the-policy Properties window, i.e. ConfigMgr Server Policy (Coretech) Properties, click on the Updates tab
Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4.docx Page 60 of 71
On the Updates tab in the Name-of-the-policy Properties window, i.e. ConfigMgr Server Policy (Coretech) Properties, select Use Configuration Manager as the primary source for definition updates check box Under the Use the following section to configure alternative sources… heading, in the Every (hours) field, change the value to 6 Under the Clients will pull updates from the selected… heading, configure the order in which clients will pull updates according to your needs Then click OK
Repeat the above steps for all your FEP 2010 policies where you want to use Configuration Manager as the primary source for definition updates
Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4.docx Page 61 of 71
Configuring the FEP 2010 Definition Update Automation tool
The following two sections describe how to configure the FEP 2010 Definition Update Automation tool (softwareupdateautomation.exe):
• Automating the execution of the FEP 2010 Definition Update Automation tool using Task Scheduler (Method 1)
• Automating the execution of the FEP 2010 Definition Update Automation tool using
Configuration Manager Status Filter Rules (Method 2) The FEP 2010 Definition Update Automation tool (softwareupdateautomation.exe) will automatically check for new FEP 2010 definitions updates against the WSUS server and download these. It will then update your existing FEP 2010 definition updates Deployment Package and Deployment and refresh your distribution points. In order for this to work properly the WSUS server needs to synchronize regularly with Windows update in order to obtain knowledge of the new FEP 2010 definitions. That is the reason why both methods use the Event ID 6702 as a trigger to execute the softwareupdateautomation.exe file. You must only use one of the described methods when configuring the FEP 2010 Definition Update Automation tool.
Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4.docx Page 62 of 71
Automating the execution of the FEP 2010 Definition Update Automation tool using Task Scheduler (Method 1)
On your Configuration Manager SUP, click Start, type task scheduler and then press Enter
In the Task Scheduler window, in the menu bar, click Action and select Create Task
Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4.docx Page 63 of 71
In the Create Task window on the General tab, configure the following settings: Name: FEP_Update_Tool Description: This task will run the Definition Update Automation tool for FEP 2010 updates every 1 hour Run whether user is logged on or not Then click on the Actions tab Note: The user account used to run this task must have the appropriate Configuration Manager permissions to update the definition package and definition assignment specified in the command line
On the Actions tab, click New
Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4.docx Page 64 of 71
In the New Action window, click Browse and browse to one of the following two locations, depending on your OS architecture:
X86: % ProgramFiles% \Microsoft Configuration Manager\AdminUI\bin
X64: % ProgramFiles(x86)% \Microsoft Configuration Manager\AdminUI\bin
Then select the SoftwareUpdateAutomation.exe file and click Open
Still in the New Action window, type the following information in the Add arguments (optional) field: /AssignmentName “Deployment” /PackageName “Package” / RefreshDP Where Deployment is the name of the software deployment for the definitions, and Package is the name of the software package that contains the definitions i.e. /AssignmentName “FEP2010_DefUpdates” /PackageName “FEP2010 DefUpdates” /RefreshDP Then click OK
Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4.docx Page 65 of 71
Click on the Triggers tab and then click New
In the New Trigger dialog box, under Advanced settings, select the check box for Repeat task every, in the list click 1 hour, and then next to for a duration of, click Indefinitely Then click OK
Still on the Triggers tab, Click New
Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4.docx Page 66 of 71
In the New Trigger dialog box, in the Begin the task field, select On an event Under Settings, select the following from the drop-down box: Log: Application Source: SMS Server In the Event ID field type 6702 Under Advanced settings, ensure that the Enabled check box is selected Then click OK twice
In the Task Scheduler password dialog box, type in the password of the user account which the task sequence runs under, then click OK and close the Task Scheduler
Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4.docx Page 67 of 71
Automating the execution of the FEP 2010 Definition Update Automation tool using Configuration Manager Status Filter Rules (Method 2)
In the Configuration Manager console, expand System Center Configuration Manager, Site Database, <Sitecode - Site name>, Site Settings Then right-click the Status Filter Rules node and select New Status Filter Rule
On the General page of the New Status Filter Rule Wizard, type a name for the new Status Filter Rule, i.e. FEP 2010 definition update automation tool Then select the following fields and information from the drop-down boxes: Source: ConfigMgr Server Component: SMS_WSUS_SYNC_MANAGER Message ID: 6702 Then click Next
On the Actions page, select Run a program, and in the Program field, type the following information: i.e. "D:\Program Files (x86)\Microsoft Configuration Manager\AdminUI\bin\SoftwareUpdateAutomation.exe" /AssignmentName "FEPDefUpdates" /PackageName "FEPDefUpdates" /RefreshDP
The location of the Softwareupdateautomation.exe
Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4.docx Page 68 of 71
tool is dependent on your OS architecture:
X86: % ProgramFiles% \Microsoft Configuration Manager\AdminUI\bin
X64: % ProgramFiles(x86)% \Microsoft Configuration Manager\AdminUI\bin Then click Next
On the Summary page, verify the chosen options and then click Next
On the Wizard Completed page, verify that the New Status Filter Wizard completed successfully and then click Close
Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4.docx Page 69 of 71
Testing the FEP 2010 Definition Update Automation tool
Back in the Configuration Manager console, expand Site Database, Computer Management and Software Updates Then right-click the Update Repository node and select Run Synchronization
In the Run Update Synchronization dialog box, select Yes
The WSUS synchronization process can be monitored by opening the wsyncmgr.log file on the Configuration Manager site server Wait for the WSUS synchronization to complete before continuing with the next steps
Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4.docx Page 70 of 71
Open the Task Scheduler and click on the Task Scheduler Library in the left pane. Then click on the task in the details pane that you created earlier, i.e. FEP_Update_Tool
Still in the details pane of the Task Scheduler, click on the History tab and verify that the task was trigger by the 6702 event.
Open the Event Viewer, expand Windows Logs and then click on Application. In the details pane, scroll down until you find 6702 under the Event ID column Click on the event and verify the information about this event on the General tab in the lower part of the details pane Then close the Event Viewer
Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4.docx Page 71 of 71
Browse to %programdata%, i.e. C:\ProgramData, and open the SoftwareUpdateAutomation.log file. Look for errors and warnings in the log file.
You will see something similar to the message below:
SmsAdminUISnapIn Error 0 : (SMS_PackageToContent ContentOD=7861,PackageID=’CEN00013’).IsContentValid returns true. We won’t download the content again.
This basically means that the FEP 2010 definitions downloaded are up-to-date and there is no need to download them again. So it isn´t an error for now.
Scroll down to the end of the SoftwareUpdateAutomation.log file. Look for something similar to the message below:
SmsAdminUISnapIn Information: 1:SCF session handle {4dc4531e-96f0-4d9c-a990-068100636609} has successfully released
This means that the Definition Update Automation tool has released the Deployment and Package used for FEP2010 Definition Updates and that the automatic update process is working correctly