forefront endpoint protection 2010 installation and configuration guide for configuration manager...

Written by Kent Agerlund and Michael Buchardt, Coretech A/S of 71

Forefront Endpoint Protection 2010 installation and configuration guide for Configuration

Manager 2007

Author:

Kent Agerlund & Michael Buchardt

Create date: 19/04-2011 Change date: 16/10-2011 Document version no.: 1.4

Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4.docx of 71

Document information

History

Date Author Version Reason for change

19/04-2011 Kent Agerlund & Michael Buchardt

1.0 N/A

05/07-2011 Kent Agerlund & Michael Buchardt

1.2 Added information about FEP 2010 Update 1 Rollup (installation and configuration)

15/10-2011 Michael Buchardt 1.3 Added information about installing Reporting Services, Analysis Services and Integration Services for SQL Server 2008 R2

16/10-2011 Kent Agerlund 1.4 Minor changes, added policy template information.

Proof readers

Name Version Date of approval


Table of contents

Document information .................................................................................................... 2 History ....................................................................................................................... 2 Proof readers .............................................................................................................. 2

Table of contents ........................................................................................................... 3 Configuration Manager Site Topologies and FEP 2010 ........................................................ 4 Single-Site Deployment ................................................................................................... 4

Centralized policy control and centralized FEP administration .......................................... 6 Centralized policy control and decentralized FEP administration ....................................... 8 Decentralized policy control and decentralized FEP administration ................................. 11 Decentralized policy control and FEP administration with centralized FEP reporting ......... 13

Installing SQL 2008 R2 requirements ............................................................................. 15 Preparing the Site server for the FEP 2010 installation ..................................................... 21 Installing FEP 2010 ....................................................................................................... 23 Templates ................................................................................................................... 26

Template settings ..................................................................................................... 26 Changes made to the default template settings ........................................................... 26

Common settings for all templates .......................................................................... 26 Common settings for all server policies .................................................................... 27 Default desktop ..................................................................................................... 27 ConfigMgr Server Policy .......................................................................................... 28

Alerts .......................................................................................................................... 29 Reports ....................................................................................................................... 31 DCM Settings ............................................................................................................... 31 Configure WSUS to automatically approve FEP 2010 definition updates ............................. 32 FEP 2010 Update Rollup 1 information ........................................................................... 35 Installing FEP 2010 Update Rollup 1 ............................................................................... 36

Installing the KB2554364 hotfix on the FEP reporting server ......................................... 36 Extracting the FEP2010 Update Rollup installation files ................................................. 38 Installing the Update Rollup 1 on the Configuration Manager Site server (FepExt) .......... 39 Installing the Update Rollup 1 on the FEP 2010 Reporting Server (FepReport) ................ 41 Installing the Update Rollup 1 on the FEP 2010 Console machines (FepUx) .................... 43

Deploying the FEP 2010 Update Rollup 1 to Clients ......................................................... 45 Configuring Configuration Manager 2007 SUP to distribute FEP definition updates to your FEP 2010 clients ................................................................................................................. 47

Configuring FEP 2010 clients to use Configuration Manager as the primary source for definition updates ..................................................................................................... 59

Configuring the FEP 2010 Definition Update Automation tool............................................ 61 Automating the execution of the FEP 2010 Definition Update Automation tool using Task Scheduler (Method 1) ................................................................................................... 62 Automating the execution of the FEP 2010 Definition Update Automation tool using Configuration Manager Status Filter Rules (Method 2) ..................................................... 67 Testing the FEP 2010 Definition Update Automation tool ................................................. 69


Configuration Manager Site Topologies and FEP 2010

You can deploy Forefront Endpoint Protection 2010 (FEP) to a Configuration Manager stand-alone (single) site or to a hierarchical site environment. Installation of Forefront Endpoint Protection on secondary sites is not supported.

Single-Site Deployment

In a single-site Configuration Manager deployment, Forefront Endpoint Protection is installed on the Configuration Manager site server. Configuration Manager administrators can perform the following tasks from the Configuration Manager console:

• Create or modify Forefront Endpoint Protection policies

• Assign Forefront Endpoint Protection policies to collections

• Deploy Forefront Endpoint Protection clients to collections

• Monitor Forefront Endpoint Protection via the Forefront Endpoint Protection

dashboard

• Configure Forefront Endpoint Protection alerts

• Assign the Forefront Endpoint Protection Desired Configuration Management

configuration baselines to collections


Hierarchical Deployment In a hierarchical Configuration Manager deployment, a parent site has one or more attached child sites in the hierarchy. A parent site contains pertinent information about its child sites, and it can control many operations at the child sites. A site that has no parent site is known as a central site.

Depending on the needs and requirements of an organization, you can deploy Forefront Endpoint Protection to achieve the following scenarios:

• Centralized policy control and centralized FEP administration

• Centralized policy control and decentralized FEP administration

• Decentralized policy control and decentralized FEP administration

• Decentralized policy control and FEP administration with centralized FEP reporting


Centralized policy control and centralized FEP administration

In this scenario, administrators at the Configuration Manager parent site control the configuration and administration of Forefront Endpoint Protection. Administrators at the parent site are responsible for policy management and day-to-day monitoring of Forefront Endpoint Protection. Administrators at the child sites can deploy the Forefront Endpoint Protection client software to collections in the child site and assign FEP policies, but have limited ability to monitor the progress of the FEP client software and policy deployments.

To implement this scenario, install Forefront Endpoint Protection only on the primary parent site.


The following table lists the tasks that can be accomplish when Forefront Endpoint Protection is installed on the parent primary site only.

Task Connected to the parent site

Connected to the child sites

Deploy FEP clients to collections Yes Yes Create or modify FEP policies Yes No Assign FEP policies to collections Yes Yes Monitor FEP client deployment and policy deployment progress

Yes Limited

Monitor FEP via the FEP dashboard Yes No FEP reporting Yes No Configure FEP alerts Yes No FEP Operations Yes Limited


Centralized policy control and decentralized FEP administration

In this scenario, FEP policies are managed centrally at the parent site, but the administrators at the child sites are responsible for the deployment and day-to-day management of FEP. Administrators at the child sites can view the Forefront Endpoint Protection policies, but cannot create, modify, or delete a policy.

To implement this scenario, you must install Forefront Endpoint Protection on both the primary parent site and the primary child sites.


The following table lists the tasks that you can accomplish when Forefront Endpoint Protection is installed on the parent site and child sites.



Deploy FEP clients to collections Yes Yes Create or modify FEP policies Yes No Assign FEP policies to collections Yes Yes Monitor FEP client deployment and policy deployment progress

Yes Yes

Monitor FEP via the FEP dashboard Yes Yes FEP reporting Yes Yes Configure FEP alerts Yes Yes FEP Operations Yes Yes


Important:

At a child site, there are two FEP – Deployment packages, one from the parent site and one from the child site. When deploying the Forefront Endpoint Protection client software from the child site, you must deploy by using the software package from the parent site. The first three letters of the software package Package ID indicate from which site the software package originates.

When you install Forefront Endpoint Protection on the child site first, and then install Forefront Endpoint Protection on the parent site, the FEP – Policies package on the client site is disabled, and the FEP – Policies package from the parent site is propagated to the child site. Policies created on the child site no longer exist. It is recommended that you export the policies from the child site before you install Forefront Endpoint Protection on the parent site. After installing Forefront Endpoint Protection on the parent site, you can import the policies on the parent site.

Uninstalling Forefront Endpoint Protection on the parent site while Forefront Endpoint Protection is also installed on child sites disrupts Forefront Endpoint Protection functionality of the child sites. Repair the Forefront Endpoint Protection installation on each child site after Forefront Endpoint Protection is uninstalled from the parent site.

FEP clients deployed at the child sites appear only in the following Client Deployment Status categories at the parent site:

• Deployed

• Out of date

The reason for this is that the information for these categories is based on Configuration Manager hardware inventory data that the parent site receives from the child sites.

The information for the following deployment categories is based on the Configuration Manager advertisements: Removed, Failed, and Pending. Because the parent site cannot see the advertisements created at a child site, deployment information for these categories is not displayed at the parent site. You can view the full deployment status for deployed FEP client software at the child site.

Policy distribution status for FEP policies assigned to collections at a child site can take up to 24 hours to display at the parent site.


Decentralized policy control and decentralized FEP administration

In this scenario, the FEP policies are managed independently at each of the child sites, and the child site administrators are responsible for the deployment and day-to-day management of Forefront Endpoint Protection. Site administrators can share policies by exporting and importing Forefront Endpoint Protection policies from one site to another. Tasks performed on a child site only affect the devices of that child site

To implement this scenario, install Forefront Endpoint Protection in primary child sites only.


Important:

Do not install Forefront Endpoint Protection on the parent site because this disables the existing policies on the child sites and enables the following scenarios, Centralized policy control and decentralized FEP administration.

The following table lists the tasks that you can accomplish when Forefront Endpoint Protection is installed at the child sites only.



Deploy FEP clients to collections

No Yes

Create or modify FEP policies No Yes Assign FEP policies to collections

No Yes

Monitor FEP via the FEP dashboard

No Yes

FEP reporting No Yes Configure FEP alerts No Yes FEP Operations No Yes


Decentralized policy control and FEP administration with centralized FEP reporting

This scenario is very similar to the Decentralized policy control and FEP administration scenario, and in addition, provides centralized organization-wide reporting.

In this scenario, FEP policies are managed independently at each of the child sites, and the child site administrators are responsible for the deployment and day-to-day management of FEP. Site administrators can share policies by exporting and importing Forefront Endpoint Protection policies from one site to another.

To implement this scenario, install Forefront Endpoint Protection on primary child sites and install only FEP reporting on the primary parent site.


Important:

Do not install full Forefront Endpoint Protection on the parent site, because this disables the existing policies on the child sites and enables the following scenarios, Centralized policy control and decentralized FEP administration.

The following table lists the Forefront Endpoint Protection tasks that you can accomplish when Forefront Endpoint Protection is installed at the child sites only.



Deploy FEP clients to collections

No Yes

Create or modify FEP policies No Yes Assign FEP policies to collections

No Yes

Monitor FEP via the FEP dashboard

No Yes

FEP reporting Yes Yes Configure FEP alerts Yes Yes FEP Operations No Yes


Installing SQL 2008 R2 requirements

Click Start and type Programs and then press Enter

In the Programs and Features window, select Microsoft SQL Server 2008 R2 (64 bit) and then click Uninstall/Change Note: Make sure your SQL 2008 R2 installation media is inserted into you DVD drive

In the SQL Server 2008 R2 dialog box, click Add and wait for the SQL Server 2008 R2 installation to start


In the SQL Server Installation Center, click Installation and then select New installation or add features to an existing installation

On the Setup Support Rules page, click Show details and verify that all the rule checks show passed. Then click OK

On the Setup Support Files page, click Install


On the Setup Support Rules page, click Show details and verify that all the rule checks show passed. Then click Next

On the Installation Type page, select Add features to an existing instance of SQL Server 2008 R2 and click Next

On the Feature Selection page, select Analysis Services, Reporting Services and Integration Services and then click Next


On the Installation Rules page, click Show details and verify that all the rule checks show passed. Then click Next

On the Disk Space Requirements page, verify that there is enough available disk space for the selected features and then click Next

On the Server Configuration page, select Use the same account for all SQL Server Services Note: A separate domain account should be used for each SQL Server service

In the Use the same account for all SQL Server 2008 R2 Services windows, click the drop-down arrow and select NT AUTHORITY\SYSTEM. Then click OK Back on the Server Configuration page, click Next


On the Analysis Services Configuration page, select Add Current User and then click Next Note: The users added here will have unrestricted access to Analysis Services

On the Reporting Services page, verify that Install, but do not configure the report server is selected and click Next

On the Error Reporting page, click Next


On the Installation Configuration Rules page, click Show details and verify that all the rule checks show passed. Then click Next

On the Ready to Install page, verify your selections and then click Install

On the Complete page, verify that the installation completed successfully and then click Close


Preparing the Site server for the FEP 2010 installation

Open a Command Prompt with administrative privileges and change your directory to where you have the FEP 2010 installation files. In the Command Prompt window type SCCM2007-SP2-KB2271736-ENU.msi and then press Enter Important: This hotfix is required on all administrator consoles.

On the Welcome to… page, click Next

On the End-User License Agreement page, select I accept the terms in the License Agreement and then click Next


On the Ready to Install page, click Install

On the Completing the Software… page, click Finish


Installing FEP 2010

Open a Command Prompt with administrative privileges and change your directory to where you have the FEP 2010 installation files. In the Command Prompt window type Serversetup.exe and then press Enter Important: You should run Serversetup.exe from either the x86 or x64 subdirectory depending on you OS architecture.

On the Welcome to Forefront Endpoint Protection 2010 Server Setup Wizard page, type company name and organization in the Name and Organization fields. Then click Next.

On the Microsoft Software License Terms page, select I accept the software license terms and then click Next

On the Installation Options page, select Basic topology and click Next.


On the Reporting Configuration page, fill in the following information: User name (domain\user): Use the account used for SQL RS i.e. petfood\SCCMSVCsqlrs Password: Fill in the password for the account. Then click Next

On the Updates and Customer Experience Options page, select Use Microsoft Updates to keep my products up to date and then click Next.

On the Microsoft SpyNet Policy Configuration page, select Join Microsoft Spynet and Advanced membership and click Next.

On the Installation Location page, accept the default installation location, C:\Program Files\Microsoft Forefront and click Next.


On the Prerequisites Verification page, verify that all prerequisite checks have a status of successful and then click Next.

On the Setup Summary page, verify the chosen installation options and then click Install

On the Installation page, verify that the installation completed successfully and then click Next

On the Installation Complete page, click Finish


Templates

The product ships with several default templates. Template name Target collection Default workstation FEP Collections\Deployment Status\Deployment Succeeded\Deployed Servers Default server FEP Collections\Deployment Status\Deployment Succeeded\Deployed Desktops Mail Server policy FEP Collections\FEP Policies (Folder)\FEP Mail Server ConfigMgr Server Policy FEP Collections\FEP Policies (Folder)\FEP ConfigMgr Server OpsMgr Server Policy FEP Collections\FEP Policies (Folder)\FEP OpsMgr Server File Server Policy FEP Collections\FEP Policies (Folder)\FEP File Server Domain Controller Server Policy

FEP Collections\FEP Policies (Folder)\FEP Domain Controller Server

SharePoint Server Policy FEP Collections\FEP Policies (Folder)\FEP SharePoint Server SQL Server Policy FEP Collections\FEP Policies (Folder)\FEP SQL Server

Template settings

All default settings are documented on TechNet - http://technet.microsoft.com/en-us/library/gg477039.aspx

Changes made to the default template settings Below are some example settings that we configured for our clients and Configuration Manager Server (with a local SQL installation). Below settings are in no way the only correct settings, all policy settings must be discussed internally and match the security policy of the organization.

Common settings for all templates

Exclusions • %windir%\system32\CCM • %windir%\SYSwow64\CCM

http://technet.microsoft.com/en-us/library/gg477039.aspx

http://technet.microsoft.com/en-us/library/gg477039.aspx


Windows Firewall • Manager Windows firewall disabled

Common settings for all server policies

Scheduled scans

Default desktop

Scheduled scans • Weekly scan, Friday 09:00 AM


Advanced • Enabled Scan removable storage

devices such as USB flash drives

ConfigMgr Server Policy

Excluded Processes • %ProgramFiles%\Microsoft SQL

Server\MSSQL.1\MSSQL\Binn\SQLServr.exe

• ProgramFiles%\Microsoft SQL Server\MSSQL.3\Reporting Services\ReportServer\Bin\ReportingServicesService.exe

• %ProgramFiles%\Microsoft SQL Server\MSSQL.2\OLAP\Bin\MSMDSrv.exe"

On the Microsoft Technet Wiki - http://social.technet.microsoft.com/wiki/contents/articles/953.aspx you can find an updated list of recommended Anti-Virus exclusions for Windows Server. This list includes among others: Windows, Active Directory, Cluster, Forefront, FRS, SQL, IIS, DHCP, SCOM, ConfigMgr, Hyper-V, Exchange, Sharepoint, Med-V and App-V

http://social.technet.microsoft.com/wiki/contents/articles/953.aspx


Alerts

Email settings

Malware Detection Alerts A mail will be send whenever a computer has a detected malware. Mail

Forefront Endpoint Protection has detected malware on a computer in your organization. Detection time (UTC): 4/20/2011 10:55:58 AM Computer name: client1.petfood.local Malware name: HackTool:Win32/Mailpassview To view more information about malware activity in your organization, run a Computer List Report. Note: No additional Malware Detection alerts will be generated for this computer for the next 24 hours.

Malware Outbreak Alert properties A mail will be send if more than 5 computers have the same malware detected. Mail

Forefront Endpoint Protection has detected a fast spreading malware on computers in your organization. Malware name: HackTool:Win32/Mailpassview Number of computers affected: 6 Detection interval (minutes): 0 To view more information about malware activity in your organization, run an Antimalware Activity Report. Note: No additional Malware Outbreak alerts will be generated for this malware for the next 24 hours.


Repeated Malware Detection Alert A mail will be send if the same malware is detected 4 times within 24 on a single computer.

New Multiple Malware Destination Alert A mail will be send if multiple malware is detected within 24 on a single computer.


Reports

All reports are accessible from http://servername/reports.

DCM Settings

Forefront Clients use desired configuration management to update status information in Configuration Manager. By default 4 Configuration baselines are created and applied to specific collections. Baselines written in bold are non-default baselines. Baseline Applied Collection Schedule FEP Monitoring – Antimalware Status FEP Collections\Deployment

Status\Deployment Succeeded FEP Collections\Deployment Status\out of date

Daily

FEP Monitoring – Definitions and Health Status

FEP Collections\Deployment Status\Deployment Succeeded FEP Collections\Deployment Status\out of date

Daily

FEP Monitoring – Malware Activity FEP Collections\Deployment Status\Deployment Succeeded FEP Collections\Deployment Status\out of date

Daily

FEP Monitoring – Malware Detections FEP Collections\Deployment Status\Deployment Succeeded FEP Collections\Deployment Status\out of date

Daily

FEP – Standard Desktop FEP Collections\Deployment Status\Deployment Succeeded\Deployed Desktops

Daily

http://servername/reports


Configure WSUS to automatically approve FEP 2010 definition updates

Important: If you install FEP 2010 Update Rollup 1 and configure your environment to use Configuration Manager as the primary source for your FEP 2010 Definition Updates, you should not perform the step detailed in this section.

Open the WSUS administrator console.

Select Synchronization schedule and configure 6 synchronizations pr. Day. Click OK

Click Automatic Approvals.


Create a new rule that will automatically approve all definition updates. Select When an update is in a specific classification.

Click on the any classification link. Make sure you only select Definition updates. Click OK

Select When an update is in a specific product.

Select Forefront Endpoint Protection 2010 and click OK.


Type FEP definitions as the name and click OK (twice).


FEP 2010 Update Rollup 1 information

The following list is a summary of the updates in FEP 2010 Update Rollup 1:

• FEP 2010 client support for the following Windows Embedded 7 client operating systems and Windows Server 2008 Core:

• Windows Embedded Standard 7 SP1

• Windows Embedded POSReady 7

• Windows ThinPC • Windows Server 2008 Server Core (x86 or x64)

• Support for enabling deployment of Forefront Endpoint Protection definition updates

through Configuration Manager 2007 software update point role

• Addition of two new preconfigured policy templates for Microsoft Forefront Threat

Management Gateway and Microsoft Lync 2010

• Various bug fixes

For a full list of added functionality and fixes, see

http://support.microsoft.com/kb/2551095

http://support.microsoft.com/kb/2551095


Installing FEP 2010 Update Rollup 1

Download FEP 2010 Update Rollup 1 from here: http://www.microsoft.com/download/en/details.aspx?id=26583 Note: You must download the following “pair of files” depending on your server’s architecture. FEP2010-Update-KB2554364-x64-ENU.EXE FEP2010-Update-Rollup-KB2551095-x64-ENU.exe or FEP2010-Update-Rollup-KB2551095-x86-ENU.exe FEP2010-Update-KB2554364-x86-ENU.EXE

You must first install either the x86 or x64 version of the KB2554364 hotfix on the computer on which the FEP reporting feature is installed. Once this hotfix is installed, it cannot be uninstalled

Installing the KB2554364 hotfix on the FEP reporting server

Open a Command Prompt with administrative privileges and change your directory to where you have downloaded the FEP 2010 Update Rollup 1 files. In the Command Prompt window type FEP2010-Update-KB2554364-x64-ENU.EXE and then press Enter Important: Once this hotfix is installed, it CANNOT be uninstalled

On the Welcome to Reporting Update Setup Wizard page, click Next

http://www.microsoft.com/download/en/details.aspx?id=26583



On the Setup Summary page, click Install


On the Installation Complete page, click Finish Then restart the machine


Extracting the FEP2010 Update Rollup installation files

Open a Command Prompt with administrative privileges and change your directory to where you have downloaded the FEP 2010 Update Rollup 1 files. In the Command Prompt window type FEP2010-Update-Rollup-KB2551095-x64-ENU.EXE and then press Enter

In the Choose Directory for Extracted Files window, browse for a location where you want to extract the files and then click Ok

On the Extraction Complete windows, click OK


Installing the Update Rollup 1 on the Configuration Manager Site server (FepExt)

On the Configuration Manager Site Server, open Windows Explorer and browse to the directory where you extracted the FEP 2010 Update Rollup 1 installation files. Double-click the FepExt folder and then double-click the Setup.exe file.

On the Welcome to Update Rollup 1 Setup Wizard page, click Next



On the Setup Summary page, verify the installation options and then click Install


On the Installation Complete, click Finish


Installing the Update Rollup 1 on the FEP 2010 Reporting Server (FepReport)

On the Server where FEP 2010 Reporting is installed, open Windows Explorer and browse to the directory where you extracted the FEP 2010 Update Rollup 1 installation files. Double-click the FepReport folder and then double-click the Setup.exe file.






On the Installation Complete, click Finish.


Installing the Update Rollup 1 on the FEP 2010 Console machines (FepUx)

On the machines where the FEP 2010 Console is installed, open Windows Explorer and browse to the directory where you extracted the FEP 2010 Update Rollup 1 installation files. Double-click the FepUx folder and then double-click the Setup.exe file.






On the Installation Complete, click Finish


Deploying the FEP 2010 Update Rollup 1 to Clients

A new version of the Configuration Manager FEP – Deployment package is installed as part of the FEP 2010 Update Rollup 1 update. Because of the new package, all computers installed with earlier versions of the FEP client software will be members of the Out of Date FEP collection.

In the Configuration Manager console, expand System Center Configuration Manager, Site Database, Computer Management and Software Distribution. Then click on the Advertisements

node

Right-click the FEP 2010 Client installation advertisement and choose Properties


In the Name-of-advertisement window, click on the Schedule tab and then in the Program rerun behavior box, select Always run program Click on OK

Back in the Configuration Manager Console, right-click the FEP 2010 Client installation advertisement and choose Re-run Advertisement In the Re-run Advertisement window, click Yes

Refresh policy on the FEP 2010 clients or wait for the policy refresh to automatically occur. Then check the FEP 2010 client status in the Configuration Manager Console by clicking on the Forefront Endpoint Protection node under System Center Configuration Manager, Site Database and Computer Management


Configuring Configuration Manager 2007 SUP to distribute FEP definition updates to your FEP 2010 clients

Microsoft Forefront Endpoint Protection 2010 Update Rollup 1 includes the Definition Update Automation tool. This tool enables you to use Configuration Manager 2007 software update points (SUP) to distribute FEP definition updates to your FEP clients.

To configure your environment to use the Definition Update Automation tool, it must first be downloaded and copied to the Configuration Manager software update point.

The Definition Update Automation tool (fepsuasetup.cab) can be downloaded from here: http://www.microsoft.com/download/en/details.aspx?id=26613

On your Configuration Manager SUP, in the location to which you copied the fepsuasetup.cab file, double-click the fepsuasetup.cab file and right-click on the SoftwareUpdateAutomation.exe file and chose extract. Browse to one of the following locations, depending on your OS architecture:

X86: % ProgramFiles% \Microsoft Configuration Manager\AdminUI\bin

X64: % ProgramFiles(x86)% \Microsoft Configuration Manager\AdminUI\bin The click Extract

In the File Download – Security Warning dialog, click Save

http://www.microsoft.com/download/en/details.aspx?id=26613


In the Configuration Manager console, expand System Center Configuration Manager, Site Database, Site Management, SiteCode – SiteName, Site Settings and then click the Component Configuration node. In the details pane of the console, right-click the Software Update Point Component and select Properties

In the Software Update Point Component Properties window, click on the Classifications tab and select the checkbox next to Definition updates


Still in the Software Update Point Component Properties window, click on the Products tab. Scroll down to the Forefront group and select the checkbox next to Forefront Endpoint Protection 2010 and then click apply OK

Back in the Configuration Manager console, expand Site Database, Computer Management and Software Updates Then right-click the Update Repository node and select Run Synchronization

In the Run Update Synchronization dialog box, select Yes


The WSUS synchronization process can be monitored by opening the wsyncmgr.log file on the Configuration Manager site server Wait for the WSUS synchronization to complete before continuing with the next steps

Still in the Configuration Manager console, expand the Update Repository node and right-click it and select Refresh Then expand Definition Updates and Microsoft and then click on the Forefront Endpoint Protection 2010 node.

In the details pane, click Definition for Microsoft Forefront Endpoint Protection 2010… and then select Download Software Updates

On the Deployment Package page, select Create a new deployment package and fill in the following information: Name: FEP2010_DefUpdates Description: Definition Updates for Forefront Endpoint Protection 2010 Package source: \\sccmkbh\FEPDefUpdates Then click Next Note: The share for the Package source must be created manually prior to


completing this task.

On the Distribution Points page, click Browse and in the Add Distribution Points dialog box expand the CEN (Site code) Node. Then select the distribution points, i.e. SCCMKBH and sccmkbh\sccm_dp$, and then click OK Back on the Distribution Points page, verify that the selected distribution points are listed and then click OK and Next

On the Data Access page, click Next

On the Distribution Settings page, click Next


On the Download Location, select Download software updates from the Internet and then click Next

On the Language Selection page, select English and then click Next

On the Summary page, verify the chosen options and then click Next Note: Wait for the download to complete


On the Wizard Completed page, verify that the Download Updates Wizard completed successfully and then click Close

Back in the Configuration Manager console; in the details pane, click Definition for Microsoft Forefront Endpoint Protection 2010… and then select Deploy Software Updates

On the General page, in the Name field type FEP2010_DefUpdates and then click Next


On the Deployment Template page, select Create a new deployment template and then click Next

On the Collection page, click Browse and in the Browse Collection dialog box, select the target collection for the FEP 2010 Definition Updates, i.e. Test, and then click OK Back on the Collection page, verify that the selected collection is listed and then click Next

On the Display/Time Settings page, select the following settings: Suppress display notifications on clients Client Local time Duration: 2 Hours Then click Next


On the Restart Settings page, select the appropriate settings and click Next

On the Event Generation page, select the appropriate settings and click Next

On the Update Binary Download – ConfigMgr Client Settings page, select the following settings: Download software updates from distribution point and install Download software updates from unprotected distribution point and install Then click Next


On the Create Template page, select Save deployment properties as a template and in the Template name field type FEP 2010 Definition Updates Then click Next

On the Deployment Package page, click Browse and in the Select a Package dialog box, select the package for the FEP 2010 Definition Updates created earlier, i.e. FEP2010_DefUpdates, and then click OK Back on the Deployment Package page, verify that the selected package is listed and then click Next

On the Download Location page, select Download software updates from the Internet and then click Next Note: Because all the required software updates have already been downloaded, the files will only be validated and not downloaded again.


On the Language Selection page, select English and then click Next

On the Deployment Schedule page, select As soon as possible and then click Next

On the Summary page, verify the chosen options and then click Next Note: Wait for the Wizard to complete


On the Wizard Completed page, verify that the Deploy Software Updates Wizard completed successfully and then click Close


Configuring FEP 2010 clients to use Configuration Manager as the primary source for definition updates

In the Configuration Manager console, expand System Center Configuration Manager, Computer Management and Forefront Endpoint Protection Then click on the Policies node

Right-click the policy, i. e. ConfigMgr Server Policy (Coretech), and select Properties

In the Name-of-the-policy Properties window, i.e. ConfigMgr Server Policy (Coretech) Properties, click on the Updates tab


On the Updates tab in the Name-of-the-policy Properties window, i.e. ConfigMgr Server Policy (Coretech) Properties, select Use Configuration Manager as the primary source for definition updates check box Under the Use the following section to configure alternative sources… heading, in the Every (hours) field, change the value to 6 Under the Clients will pull updates from the selected… heading, configure the order in which clients will pull updates according to your needs Then click OK

Repeat the above steps for all your FEP 2010 policies where you want to use Configuration Manager as the primary source for definition updates


Configuring the FEP 2010 Definition Update Automation tool

The following two sections describe how to configure the FEP 2010 Definition Update Automation tool (softwareupdateautomation.exe):

• Automating the execution of the FEP 2010 Definition Update Automation tool using Task Scheduler (Method 1)

• Automating the execution of the FEP 2010 Definition Update Automation tool using

Configuration Manager Status Filter Rules (Method 2) The FEP 2010 Definition Update Automation tool (softwareupdateautomation.exe) will automatically check for new FEP 2010 definitions updates against the WSUS server and download these. It will then update your existing FEP 2010 definition updates Deployment Package and Deployment and refresh your distribution points. In order for this to work properly the WSUS server needs to synchronize regularly with Windows update in order to obtain knowledge of the new FEP 2010 definitions. That is the reason why both methods use the Event ID 6702 as a trigger to execute the softwareupdateautomation.exe file. You must only use one of the described methods when configuring the FEP 2010 Definition Update Automation tool.


Automating the execution of the FEP 2010 Definition Update Automation tool using Task Scheduler (Method 1)

On your Configuration Manager SUP, click Start, type task scheduler and then press Enter

In the Task Scheduler window, in the menu bar, click Action and select Create Task


In the Create Task window on the General tab, configure the following settings: Name: FEP_Update_Tool Description: This task will run the Definition Update Automation tool for FEP 2010 updates every 1 hour Run whether user is logged on or not Then click on the Actions tab Note: The user account used to run this task must have the appropriate Configuration Manager permissions to update the definition package and definition assignment specified in the command line

On the Actions tab, click New


In the New Action window, click Browse and browse to one of the following two locations, depending on your OS architecture:


X64: % ProgramFiles(x86)% \Microsoft Configuration Manager\AdminUI\bin

Then select the SoftwareUpdateAutomation.exe file and click Open

Still in the New Action window, type the following information in the Add arguments (optional) field: /AssignmentName “Deployment” /PackageName “Package” / RefreshDP Where Deployment is the name of the software deployment for the definitions, and Package is the name of the software package that contains the definitions i.e. /AssignmentName “FEP2010_DefUpdates” /PackageName “FEP2010 DefUpdates” /RefreshDP Then click OK


Click on the Triggers tab and then click New

In the New Trigger dialog box, under Advanced settings, select the check box for Repeat task every, in the list click 1 hour, and then next to for a duration of, click Indefinitely Then click OK

Still on the Triggers tab, Click New


In the New Trigger dialog box, in the Begin the task field, select On an event Under Settings, select the following from the drop-down box: Log: Application Source: SMS Server In the Event ID field type 6702 Under Advanced settings, ensure that the Enabled check box is selected Then click OK twice

In the Task Scheduler password dialog box, type in the password of the user account which the task sequence runs under, then click OK and close the Task Scheduler


Automating the execution of the FEP 2010 Definition Update Automation tool using Configuration Manager Status Filter Rules (Method 2)

In the Configuration Manager console, expand System Center Configuration Manager, Site Database, <Sitecode - Site name>, Site Settings Then right-click the Status Filter Rules node and select New Status Filter Rule

On the General page of the New Status Filter Rule Wizard, type a name for the new Status Filter Rule, i.e. FEP 2010 definition update automation tool Then select the following fields and information from the drop-down boxes: Source: ConfigMgr Server Component: SMS_WSUS_SYNC_MANAGER Message ID: 6702 Then click Next

On the Actions page, select Run a program, and in the Program field, type the following information: i.e. "D:\Program Files (x86)\Microsoft Configuration Manager\AdminUI\bin\SoftwareUpdateAutomation.exe" /AssignmentName "FEPDefUpdates" /PackageName "FEPDefUpdates" /RefreshDP

The location of the Softwareupdateautomation.exe


tool is dependent on your OS architecture:


X64: % ProgramFiles(x86)% \Microsoft Configuration Manager\AdminUI\bin Then click Next

On the Summary page, verify the chosen options and then click Next

On the Wizard Completed page, verify that the New Status Filter Wizard completed successfully and then click Close


Testing the FEP 2010 Definition Update Automation tool

Back in the Configuration Manager console, expand Site Database, Computer Management and Software Updates Then right-click the Update Repository node and select Run Synchronization

In the Run Update Synchronization dialog box, select Yes

The WSUS synchronization process can be monitored by opening the wsyncmgr.log file on the Configuration Manager site server Wait for the WSUS synchronization to complete before continuing with the next steps


Open the Task Scheduler and click on the Task Scheduler Library in the left pane. Then click on the task in the details pane that you created earlier, i.e. FEP_Update_Tool

Still in the details pane of the Task Scheduler, click on the History tab and verify that the task was trigger by the 6702 event.

Open the Event Viewer, expand Windows Logs and then click on Application. In the details pane, scroll down until you find 6702 under the Event ID column Click on the event and verify the information about this event on the General tab in the lower part of the details pane Then close the Event Viewer


Browse to %programdata%, i.e. C:\ProgramData, and open the SoftwareUpdateAutomation.log file. Look for errors and warnings in the log file.

You will see something similar to the message below:

SmsAdminUISnapIn Error 0 : (SMS_PackageToContent ContentOD=7861,PackageID=’CEN00013’).IsContentValid returns true. We won’t download the content again.

This basically means that the FEP 2010 definitions downloaded are up-to-date and there is no need to download them again. So it isn´t an error for now.

Scroll down to the end of the SoftwareUpdateAutomation.log file. Look for something similar to the message below:

SmsAdminUISnapIn Information: 1:SCF session handle {4dc4531e-96f0-4d9c-a990-068100636609} has successfully released

This means that the Definition Update Automation tool has released the Deployment and Package used for FEP2010 Definition Updates and that the automatic update process is working correctly

forefront endpoint protection 2010 installation and configuration guide for configuration manager...

Documents

configuration guide

kent agerlund michael

centralized fep reporting

decentralized policy

policy template information

added information

change date

rollup installation