Download as pdf or txt
Download as pdf or txt
You are on page 1of 71

Forefront Endpoint Protection 2010 installation

and configuration guide for Configuration

Manager 2007

Create date:
Change date:
Document version no.:

Kent Agerlund &

Michael Buchardt

Written by Kent Agerlund and Michael Buchardt, Coretech A/S

Page 1 of 71

Document information



Reason for change






Kent Agerlund &

Michael Buchardt
Kent Agerlund &
Michael Buchardt
Michael Buchardt


Kent Agerlund


Added information about FEP 2010 Update 1

Rollup (installation and configuration)
Added information about installing Reporting
Services, Analysis Services and Integration
Services for SQL Server 2008 R2
Minor changes, added policy template



Proof readers


Date of approval

Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4.docx

Page 2 of 71

Table of contents
Document information .................................................................................................... 2
History ....................................................................................................................... 2
Proof readers .............................................................................................................. 2
Table of contents ........................................................................................................... 3
Configuration Manager Site Topologies and FEP 2010 ........................................................ 4
Single-Site Deployment ................................................................................................... 4
Centralized policy control and centralized FEP administration .......................................... 6
Centralized policy control and decentralized FEP administration....................................... 8
Decentralized policy control and decentralized FEP administration ................................. 11
Decentralized policy control and FEP administration with centralized FEP reporting ......... 13
Installing SQL 2008 R2 requirements ............................................................................. 15
Preparing the Site server for the FEP 2010 installation ..................................................... 21
Installing FEP 2010 ....................................................................................................... 23
Templates ................................................................................................................... 26
Template settings ..................................................................................................... 26
Changes made to the default template settings ........................................................... 26
Common settings for all templates .......................................................................... 26
Common settings for all server policies .................................................................... 27
Default desktop ..................................................................................................... 27
ConfigMgr Server Policy .......................................................................................... 28
Alerts .......................................................................................................................... 29
Reports ....................................................................................................................... 31
DCM Settings ............................................................................................................... 31
Configure WSUS to automatically approve FEP 2010 definition updates ............................. 32
FEP 2010 Update Rollup 1 information ........................................................................... 35
Installing FEP 2010 Update Rollup 1............................................................................... 36
Installing the KB2554364 hotfix on the FEP reporting server ......................................... 36
Extracting the FEP2010 Update Rollup installation files ................................................. 38
Installing the Update Rollup 1 on the Configuration Manager Site server (FepExt) .......... 39
Installing the Update Rollup 1 on the FEP 2010 Reporting Server (FepReport)................ 41
Installing the Update Rollup 1 on the FEP 2010 Console machines (FepUx) .................... 43
Deploying the FEP 2010 Update Rollup 1 to Clients ......................................................... 45
Configuring Configuration Manager 2007 SUP to distribute FEP definition updates to your FEP
2010 clients ................................................................................................................. 47
Configuring FEP 2010 clients to use Configuration Manager as the primary source for
definition updates ..................................................................................................... 59
Configuring the FEP 2010 Definition Update Automation tool............................................ 61
Automating the execution of the FEP 2010 Definition Update Automation tool using Task
Scheduler (Method 1) ................................................................................................... 62
Automating the execution of the FEP 2010 Definition Update Automation tool using
Configuration Manager Status Filter Rules (Method 2) ..................................................... 67
Testing the FEP 2010 Definition Update Automation tool ................................................. 69

Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4.docx

Page 3 of 71

Configuration Manager Site Topologies and FEP 2010

You can deploy Forefront Endpoint Protection 2010 (FEP) to a Configuration Manager standalone (single) site or to a hierarchical site environment. Installation of Forefront Endpoint
Protection on secondary sites is not supported.

Single-Site Deployment
In a single-site Configuration Manager deployment, Forefront Endpoint Protection is installed
on the Configuration Manager site server. Configuration Manager administrators can perform
the following tasks from the Configuration Manager console:

Create or modify Forefront Endpoint Protection policies

Assign Forefront Endpoint Protection policies to collections

Deploy Forefront Endpoint Protection clients to collections

Monitor Forefront Endpoint Protection via the Forefront Endpoint Protection


Configure Forefront Endpoint Protection alerts

Assign the Forefront Endpoint Protection Desired Configuration Management

configuration baselines to collections

Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4.docx

Page 4 of 71

Hierarchical Deployment
In a hierarchical Configuration Manager deployment, a parent site has one or more attached
child sites in the hierarchy. A parent site contains pertinent information about its child sites,
and it can control many operations at the child sites. A site that has no parent site is known
as a central site.
Depending on the needs and requirements of an organization, you can deploy Forefront
Endpoint Protection to achieve the following scenarios:

Centralized policy control and centralized FEP administration

Centralized policy control and decentralized FEP administration

Decentralized policy control and decentralized FEP administration

Decentralized policy control and FEP administration with centralized FEP reporting

Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4.docx

Page 5 of 71

Centralized policy control and centralized FEP administration

In this scenario, administrators at the Configuration Manager parent site control the
configuration and administration of Forefront Endpoint Protection. Administrators at the
parent site are responsible for policy management and day-to-day monitoring of Forefront
Endpoint Protection. Administrators at the child sites can deploy the Forefront Endpoint
Protection client software to collections in the child site and assign FEP policies, but have
limited ability to monitor the progress of the FEP client software and policy deployments.
To implement this scenario, install Forefront Endpoint Protection only on the primary parent

Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4.docx

Page 6 of 71

The following table lists the tasks that can be accomplish when Forefront Endpoint Protection
is installed on the parent primary site only.

Connected to the
parent site

Connected to the
child sites

Deploy FEP clients to collections

Create or modify FEP policies
Assign FEP policies to collections
Monitor FEP client deployment and
policy deployment progress
Monitor FEP via the FEP dashboard
FEP reporting
Configure FEP alerts
FEP Operations





Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4.docx

Page 7 of 71

Centralized policy control and decentralized FEP administration

In this scenario, FEP policies are managed centrally at the parent site, but the administrators
at the child sites are responsible for the deployment and day-to-day management of FEP.
Administrators at the child sites can view the Forefront Endpoint Protection policies, but
cannot create, modify, or delete a policy.
To implement this scenario, you must install Forefront Endpoint Protection on both the
primary parent site and the primary child sites.

Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4.docx

Page 8 of 71

The following table lists the tasks that you can accomplish when Forefront Endpoint
Protection is installed on the parent site and child sites.

Connected to the
parent site

Connected to the
child sites

Deploy FEP clients to collections

Create or modify FEP policies
Assign FEP policies to collections
Monitor FEP client deployment and
policy deployment progress
Monitor FEP via the FEP dashboard
FEP reporting
Configure FEP alerts
FEP Operations





Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4.docx

Page 9 of 71

At a child site, there are two FEP Deployment packages, one from the parent site and one
from the child site. When deploying the Forefront Endpoint Protection client software from
the child site, you must deploy by using the software package from the parent site. The first
three letters of the software package Package ID indicate from which site the software
package originates.
When you install Forefront Endpoint Protection on the child site first, and then install
Forefront Endpoint Protection on the parent site, the FEP Policies package on the client site
is disabled, and the FEP Policies package from the parent site is propagated to the child
site. Policies created on the child site no longer exist. It is recommended that you export the
policies from the child site before you install Forefront Endpoint Protection on the parent site.
After installing Forefront Endpoint Protection on the parent site, you can import the policies
on the parent site.
Uninstalling Forefront Endpoint Protection on the parent site while Forefront Endpoint
Protection is also installed on child sites disrupts Forefront Endpoint Protection functionality
of the child sites. Repair the Forefront Endpoint Protection installation on each child site after
Forefront Endpoint Protection is uninstalled from the parent site.
FEP clients deployed at the child sites appear only in the following Client Deployment Status
categories at the parent site:


Out of date

The reason for this is that the information for these categories is based on Configuration
Manager hardware inventory data that the parent site receives from the child sites.
The information for the following deployment categories is based on the Configuration
Manager advertisements: Removed, Failed, and Pending. Because the parent site cannot see
the advertisements created at a child site, deployment information for these categories is not
displayed at the parent site. You can view the full deployment status for deployed FEP client
software at the child site.
Policy distribution status for FEP policies assigned to collections at a child site can take up to
24 hours to display at the parent site.

Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4.docx

Page 10 of 71

Decentralized policy control and decentralized FEP

In this scenario, the FEP policies are managed independently at each of the child sites, and
the child site administrators are responsible for the deployment and day-to-day management
of Forefront Endpoint Protection. Site administrators can share policies by exporting and
importing Forefront Endpoint Protection policies from one site to another. Tasks performed
on a child site only affect the devices of that child site
To implement this scenario, install Forefront Endpoint Protection in primary child sites only.

Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4.docx

Page 11 of 71

Do not install Forefront Endpoint Protection on the parent site because this disables the
existing policies on the child sites and enables the following scenarios, Centralized policy
control and decentralized FEP administration.
The following table lists the tasks that you can accomplish when Forefront Endpoint
Protection is installed at the child sites only.

Connected to the parent


Connected to the child


Deploy FEP clients to

Create or modify FEP policies
Assign FEP policies to
Monitor FEP via the FEP
FEP reporting
Configure FEP alerts
FEP Operations









Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4.docx

Page 12 of 71

Decentralized policy control and FEP administration with

centralized FEP reporting
This scenario is very similar to the Decentralized policy control and FEP administration
scenario, and in addition, provides centralized organization-wide reporting.
In this scenario, FEP policies are managed independently at each of the child sites, and the
child site administrators are responsible for the deployment and day-to-day management of
FEP. Site administrators can share policies by exporting and importing Forefront Endpoint
Protection policies from one site to another.
To implement this scenario, install Forefront Endpoint Protection on primary child sites and
install only FEP reporting on the primary parent site.

Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4.docx

Page 13 of 71

Do not install full Forefront Endpoint Protection on the parent site, because this disables the
existing policies on the child sites and enables the following scenarios, Centralized policy
control and decentralized FEP administration.
The following table lists the Forefront Endpoint Protection tasks that you can accomplish
when Forefront Endpoint Protection is installed at the child sites only.

Connected to the parent


Connected to the child


Deploy FEP clients to

Create or modify FEP policies
Assign FEP policies to
Monitor FEP via the FEP
FEP reporting
Configure FEP alerts
FEP Operations









Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4.docx

Page 14 of 71

Installing SQL 2008 R2 requirements

Click Start and type Programs and then
press Enter

In the Programs and Features window,

select Microsoft SQL Server 2008 R2
(64 bit) and then click
Note: Make sure your SQL 2008 R2
installation media is inserted into you DVD

In the SQL Server 2008 R2 dialog box,

click Add and wait for the SQL Server
2008 R2 installation to start

Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4.docx

Page 15 of 71

In the SQL Server Installation Center,

click Installation and then select New
installation or add features to an
existing installation

On the Setup Support Rules page, click

Show details and verify that all the rule
checks show passed. Then click OK

On the Setup Support Files page, click


Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4.docx

Page 16 of 71

On the Setup Support Rules page, click

Show details and verify that all the rule
checks show passed. Then click Next

On the Installation Type page, select

Add features to an existing instance
of SQL Server 2008 R2 and click Next

On the Feature Selection page, select

Analysis Services, Reporting Services
and Integration Services and then click

Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4.docx

Page 17 of 71

On the Installation Rules page, click

Show details and verify that all the rule
checks show passed. Then click Next

On the Disk Space Requirements page,

verify that there is enough available disk
space for the selected features and then
click Next

On the Server Configuration page,

select Use the same account for all
SQL Server Services
Note: A separate domain account should
be used for each SQL Server service

In the Use the same account for all

SQL Server 2008 R2 Services windows,
click the drop-down arrow and select NT
Back on the Server Configuration page,
click Next

Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4.docx

Page 18 of 71

On the Analysis Services

Configuration page, select Add Current
User and then click Next
Note: The users added here will have
unrestricted access to Analysis Services

On the Reporting Services page, verify

that Install, but do not configure the
report server is selected and click Next

On the Error Reporting page, click Next

Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4.docx

Page 19 of 71

On the Installation Configuration

Rules page, click Show details and
verify that all the rule checks show
passed. Then click Next

On the Ready to Install page, verify

your selections and then click Install

On the Complete page, verify that the

installation completed successfully and
then click Close

Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4.docx

Page 20 of 71

Preparing the Site server for the FEP 2010 installation

Open a Command Prompt with
administrative privileges and change your
directory to where you have the FEP 2010
installation files.
In the Command Prompt window type
and then press Enter
Important: This hotfix is required on all
administrator consoles.
On the Welcome to page, click Next

On the End-User License Agreement

page, select I accept the terms in the
License Agreement and then click Next

Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4.docx

Page 21 of 71

On the Ready to Install page, click


On the Completing the Software

page, click Finish

Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4.docx

Page 22 of 71

Installing FEP 2010

Open a Command Prompt with
administrative privileges and change your
directory to where you have the FEP 2010
installation files.
In the Command Prompt window type
Serversetup.exe and then press Enter
Important: You should run
Serversetup.exe from either the x86 or
x64 subdirectory depending on you OS
On the Welcome to Forefront
Endpoint Protection 2010 Server
Setup Wizard page, type company name
and organization in the Name and
Organization fields.
Then click Next.

On the Microsoft Software License

Terms page, select I accept the
software license terms and then click

On the Installation Options page, select

Basic topology and click Next.

Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4.docx

Page 23 of 71

On the Reporting Configuration page,

fill in the following information:
User name (domain\user): Use the
account used for SQL RS i.e.
Password: Fill in the password for the
Then click Next
On the Updates and Customer
Experience Options page, select Use
Microsoft Updates to keep my
products up to date and then click

On the Microsoft SpyNet Policy

Configuration page, select Join
Microsoft Spynet and Advanced
membership and click Next.

On the Installation Location page,

accept the default installation location,
C:\Program Files\Microsoft Forefront
and click Next.

Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4.docx

Page 24 of 71

On the Prerequisites Verification page,

verify that all prerequisite checks have a
status of successful and then click Next.

On the Setup Summary page, verify the

chosen installation options and then click

On the Installation page, verify that the

installation completed successfully and
then click Next

On the Installation Complete page,

click Finish

Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4.docx

Page 25 of 71

The product ships with several default templates.
Template name

Target collection

Default workstation
Default server
Mail Server policy
ConfigMgr Server Policy
OpsMgr Server Policy
File Server Policy
Domain Controller Server
SharePoint Server Policy
SQL Server Policy


Collections\Deployment Status\Deployment Succeeded\Deployed Servers

Collections\Deployment Status\Deployment Succeeded\Deployed Desktops
Collections\FEP Policies (Folder)\FEP Mail Server
Collections\FEP Policies (Folder)\FEP ConfigMgr Server
Collections\FEP Policies (Folder)\FEP OpsMgr Server
Collections\FEP Policies (Folder)\FEP File Server
Collections\FEP Policies (Folder)\FEP Domain Controller Server

FEP Collections\FEP Policies (Folder)\FEP SharePoint Server

FEP Collections\FEP Policies (Folder)\FEP SQL Server

Template settings
All default settings are documented on TechNet -

Changes made to the default template settings

Below are some example settings that we configured for our clients and Configuration
Manager Server (with a local SQL installation). Below settings are in no way the only correct
settings, all policy settings must be discussed internally and match the security policy of the

Common settings for all templates


Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4.docx

Page 26 of 71

Windows Firewall
Manager Windows firewall disabled

Common settings for all server policies

Scheduled scans

Default desktop
Scheduled scans
Weekly scan, Friday 09:00 AM

Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4.docx

Page 27 of 71

Enabled Scan removable storage
devices such as USB flash drives

ConfigMgr Server Policy

Excluded Processes
%ProgramFiles%\Microsoft SQL
ProgramFiles%\Microsoft SQL
%ProgramFiles%\Microsoft SQL
On the Microsoft Technet Wiki you can find an updated
list of recommended Anti-Virus exclusions for Windows Server.
This list includes among others:
Windows, Active Directory, Cluster, Forefront, FRS, SQL, IIS, DHCP, SCOM, ConfigMgr,
Hyper-V, Exchange, Sharepoint, Med-V and App-V

Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4.docx

Page 28 of 71

Email settings

Malware Detection Alerts

A mail will be send whenever a computer has
a detected malware.

Forefront Endpoint Protection has detected malware on a computer in your

Detection time (UTC): 4/20/2011 10:55:58 AM
Computer name: client1.petfood.local
Malware name: HackTool:Win32/Mailpassview
To view more information about malware activity in your organization, run a
Computer List Report.
Note: No additional Malware Detection alerts will be generated for this computer for
the next 24 hours.

Malware Outbreak Alert properties

A mail will be send if more than 5 computers
have the same malware detected.

Forefront Endpoint Protection has detected a fast spreading malware on computers

in your organization.
Malware name: HackTool:Win32/Mailpassview
Number of computers affected: 6
Detection interval (minutes): 0
To view more information about malware activity in your organization, run an
Antimalware Activity Report.
Note: No additional Malware Outbreak alerts will be generated for this malware for
the next 24 hours.

Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4.docx

Page 29 of 71

Repeated Malware Detection Alert

A mail will be send if the same malware is
detected 4 times within 24 on a single

New Multiple Malware Destination Alert

A mail will be send if multiple malware is
detected within 24 on a single computer.

Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4.docx

Page 30 of 71

All reports are accessible from http://servername/reports.

DCM Settings
Forefront Clients use desired configuration management to update status information in
Configuration Manager. By default 4 Configuration baselines are created and applied to
specific collections. Baselines written in bold are non-default baselines.

Applied Collection


FEP Monitoring Antimalware Status

FEP Collections\Deployment
Status\Deployment Succeeded
FEP Collections\Deployment
Status\out of date
FEP Collections\Deployment
Status\Deployment Succeeded
FEP Collections\Deployment
Status\out of date
FEP Collections\Deployment
Status\Deployment Succeeded
FEP Collections\Deployment
Status\out of date
FEP Collections\Deployment
Status\Deployment Succeeded
FEP Collections\Deployment
Status\out of date
FEP Collections\Deployment
Succeeded\Deployed Desktops


FEP Monitoring Definitions and

Health Status
FEP Monitoring Malware Activity

FEP Monitoring Malware Detections

FEP Standard Desktop





Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4.docx

Page 31 of 71

Configure WSUS to automatically approve FEP 2010

definition updates
Important: If you install FEP 2010 Update Rollup 1 and configure your environment to
use Configuration Manager as the primary source for your FEP 2010 Definition Updates, you
should not perform the step detailed in this section.
Open the WSUS administrator console.

Select Synchronization schedule

and configure 6 synchronizations pr.
Click OK

Click Automatic Approvals.

Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4.docx

Page 32 of 71

Create a new rule that will

automatically approve all definition
Select When an update is in a
specific classification.

Click on the any classification link.

Make sure you only select Definition
Click OK

Select When an update is in a

specific product.

Select Forefront Endpoint

Protection 2010 and click OK.

Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4.docx

Page 33 of 71

Type FEP definitions as the name

and click OK (twice).

Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4.docx

Page 34 of 71

FEP 2010 Update Rollup 1 information

The following list is a summary of the updates in FEP 2010 Update Rollup 1:

FEP 2010 client support for the following Windows Embedded 7 client operating
systems and Windows Server 2008 Core:

Windows Embedded Standard 7 SP1

Windows Embedded POSReady 7

Windows ThinPC
Windows Server 2008 Server Core (x86 or x64)

Support for enabling deployment of Forefront Endpoint Protection definition updates

through Configuration Manager 2007 software update point role

Addition of two new preconfigured policy templates for Microsoft Forefront Threat
Management Gateway and Microsoft Lync 2010

Various bug fixes

For a full list of added functionality and fixes, see

Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4.docx

Page 35 of 71

Installing FEP 2010 Update Rollup 1

Download FEP 2010 Update Rollup 1 from here:
Note: You must download the following pair of files depending on your servers
You must first install either the x86 or x64 version of the KB2554364 hotfix on the computer
on which the FEP reporting feature is installed. Once this hotfix is installed, it cannot be

Installing the KB2554364 hotfix on the FEP reporting server

Open a Command Prompt with
administrative privileges and change
your directory to where you have
downloaded the FEP 2010 Update
Rollup 1 files.
In the Command Prompt window
type FEP2010-Update-KB2554364x64-ENU.EXE and then press Enter
Important: Once this hotfix is
installed, it CANNOT be uninstalled
On the Welcome to Reporting
Update Setup Wizard page, click

Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4.docx

Page 36 of 71

On the Microsoft Software License

Terms page, select I accept the
software license terms and then
click Next

On the Setup Summary page, click


On the Installation page, verify that

the installation completed successfully
and then click Next

On the Installation Complete page,

click Finish
Then restart the machine

Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4.docx

Page 37 of 71

Extracting the FEP2010 Update Rollup installation files

Open a Command Prompt with
administrative privileges and change
your directory to where you have
downloaded the FEP 2010 Update
Rollup 1 files.
In the Command Prompt window
type FEP2010-Update-RollupKB2551095-x64-ENU.EXE and then
press Enter
In the Choose Directory for
Extracted Files window, browse for a
location where you want to extract the
files and then click Ok

On the Extraction Complete

windows, click OK

Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4.docx

Page 38 of 71

Installing the Update Rollup 1 on the Configuration Manager

Site server (FepExt)
On the Configuration Manager Site
Server, open Windows Explorer and
browse to the directory where you
extracted the FEP 2010 Update Rollup
1 installation files.
Double-click the FepExt folder and
then double-click the Setup.exe file.

On the Welcome to Update Rollup

1 Setup Wizard page, click Next

On the Microsoft Software License

Terms page, select I accept the
software license terms and then
click Next

Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4.docx

Page 39 of 71

On the Setup Summary page, verify

the installation options and then click

On the Installation page, verify that

the installation completed successfully
and then click Next

On the Installation Complete, click


Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4.docx

Page 40 of 71

Installing the Update Rollup 1 on the FEP 2010 Reporting

Server (FepReport)
On the Server where FEP 2010
Reporting is installed, open Windows
Explorer and browse to the directory
where you extracted the FEP 2010
Update Rollup 1 installation files.
Double-click the FepReport folder and
then double-click the Setup.exe file.

On the Welcome to Update Rollup

1 Setup Wizard page, click Next

On the Microsoft Software License

Terms page, select I accept the
software license terms and then
click Next

Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4.docx

Page 41 of 71

On the Setup Summary page, verify

the installation options and then click

On the Installation page, verify that

the installation completed successfully
and then click Next

On the Installation Complete, click


Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4.docx

Page 42 of 71

Installing the Update Rollup 1 on the FEP 2010 Console

machines (FepUx)
On the machines where the FEP 2010
Console is installed, open Windows
Explorer and browse to the directory
where you extracted the FEP 2010
Update Rollup 1 installation files.
Double-click the FepUx folder and
then double-click the Setup.exe file.

On the Welcome to Update Rollup

1 Setup Wizard page, click Next

On the Microsoft Software License

Terms page, select I accept the
software license terms and then
click Next

Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4.docx

Page 43 of 71

On the Setup Summary page, verify

the installation options and then click

On the Installation page, verify that

the installation completed successfully
and then click Next

On the Installation Complete, click


Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4.docx

Page 44 of 71

Deploying the FEP 2010 Update Rollup 1 to Clients

A new version of the Configuration
Manager FEP Deployment package
is installed as part of the FEP 2010
Update Rollup 1 update.
Because of the new package, all
computers installed with earlier
versions of the FEP client software will
be members of the Out of Date FEP

In the Configuration Manager

console, expand System Center
Configuration Manager, Site
Database, Computer Management
and Software Distribution.
Then click on the Advertisements
Right-click the FEP 2010 Client
installation advertisement and choose

Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4.docx

Page 45 of 71

In the Name-of-advertisement window,

click on the Schedule tab and then in
the Program rerun behavior box,
select Always run program
Click on OK

Back in the Configuration Manager

Console, right-click the FEP 2010 Client
installation advertisement and choose
Re-run Advertisement
In the Re-run Advertisement
window, click Yes

Refresh policy on the FEP 2010 clients

or wait for the policy refresh to
automatically occur.
Then check the FEP 2010 client status
in the Configuration Manager Console
by clicking on the Forefront Endpoint
Protection node under System
Center Configuration Manager,
Site Database and Computer

Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4.docx

Page 46 of 71

Configuring Configuration Manager 2007 SUP to

distribute FEP definition updates to your FEP 2010
Microsoft Forefront Endpoint Protection 2010 Update Rollup 1 includes the Definition
Update Automation tool. This tool enables you to use Configuration Manager 2007
software update points (SUP) to distribute FEP definition updates to your FEP clients.
To configure your environment to use the Definition Update Automation tool, it must
first be downloaded and copied to the Configuration Manager software update point.
The Definition Update Automation tool ( can be downloaded from

On your Configuration Manager

SUP, in the location to which you
copied the file,
double-click the
file and right-click on the
e file and chose extract. Browse to
one of the following locations,
depending on your OS architecture:

% P rogram Files% \Microsoft


% P rogram Files(x86)% \Micros

oft Configuration

The click Extract

In the File Download Security
Warning dialog, click Save

Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4.docx

Page 47 of 71

In the Configuration Manager

console, expand System Center
Configuration Manager, Site
Database, Site Management,
SiteCode SiteNam e , Site Settings
and then click the Component
Configuration node.
In the details pane of the console,
right-click the Software Update
Point Component and select
In the Software Update Point
Component Properties window, click
on the Classifications tab and select
the checkbox next to Definition

Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4.docx

Page 48 of 71

Still in the Software Update Point

Component Properties window, click
on the Products tab.
Scroll down to the Forefront group
and select the checkbox next to
Forefront Endpoint Protection
2010 and then click apply OK

Back in the Configuration Manager

console, expand Site Database,
Computer Management and
Software Updates
Then right-click the Update
Repository node and select Run

In the Run Update Synchronization

dialog box, select Yes

Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4.docx

Page 49 of 71

The WSUS synchronization process can

be monitored by opening the
wsyncmgr.log file on the
Configuration Manager site server
Wait for the WSUS synchronization to
complete before continuing with the
next steps

Still in the Configuration Manager

console, expand the Update
Repository node and right-click it and
select Refresh
Then expand Definition Updates and
Microsoft and then click on the
Forefront Endpoint Protection
2010 node.
In the details pane, click Definition
for Microsoft Forefront Endpoint
Protection 2010 and then select
Download Software Updates

On the Deployment Package page,

select Create a new deployment
package and fill in the following
Name: FEP2010_DefUpdates
Description: Definition Updates for
Forefront Endpoint Protection
Package source:
Then click Next
The share for the Package source
must be created manually prior to

Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4.docx

Page 50 of 71

completing this task.

On the Distribution Points page,
click Browse and in the Add
Distribution Points dialog box
expand the CEN (Site code) Node.
Then select the distribution points, i.e.
sccmkbh\sccm_dp$, and then click
Back on the Distribution Points
page, verify that the selected
distribution points are listed and then
click OK and Next
On the Data Access page, click Next

On the Distribution Settings page,

click Next

Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4.docx

Page 51 of 71

On the Download Location, select

Download software updates from
the Internet and then click Next

On the Language Selection page,

select English and then click Next

On the Summary page, verify the

chosen options and then click Next
Note: Wait for the download to

Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4.docx

Page 52 of 71

On the Wizard Completed page,

verify that the Download Updates
Wizard completed successfully and
then click Close

Back in the Configuration Manager

console; in the details pane, click
Definition for Microsoft Forefront
Endpoint Protection 2010 and
then select Deploy Software
On the General page, in the Name
field type FEP2010_DefUpdates and
then click Next

Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4.docx

Page 53 of 71

On the Deployment Template page,

select Create a new deployment
template and then click Next

On the Collection page, click Browse

and in the Browse Collection dialog
box, select the target collection for the
FEP 2010 Definition Updates, i.e. Test,
and then click OK
Back on the Collection page, verify
that the selected collection is listed and
then click Next

On the Display/Time Settings page,

select the following settings:
Suppress display notifications on
Client Local time
Duration: 2 Hours
Then click Next

Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4.docx

Page 54 of 71

On the Restart Settings page, select

the appropriate settings and click Next

On the Event Generation page, select

the appropriate settings and click Next

On the Update Binary Download

ConfigMgr Client Settings page,
select the following settings:
Download software updates from
distribution point and install
Download software updates from
unprotected distribution point and
Then click Next

Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4.docx

Page 55 of 71

On the Create Template page, select

Save deployment properties as a
template and in the Template name
field type FEP 2010 Definition
Then click Next

On the Deployment Package page,

click Browse and in the Select a
Package dialog box, select the
package for the FEP 2010 Definition
Updates created earlier, i.e.
FEP2010_DefUpdates, and then
click OK
Back on the Deployment Package
page, verify that the selected package
is listed and then click Next

On the Download Location page,

select Download software updates
from the Internet and then click
Note: Because all the required
software updates have already been
downloaded, the files will only be
validated and not downloaded again.

Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4.docx

Page 56 of 71

On the Language Selection page,

select English and then click Next

On the Deployment Schedule page,

select As soon as possible and then
click Next

On the Summary page, verify the

chosen options and then click Next
Note: Wait for the Wizard to complete

Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4.docx

Page 57 of 71

On the Wizard Completed page,

verify that the Deploy Software
Updates Wizard completed
successfully and then click Close

Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4.docx

Page 58 of 71

Configuring FEP 2010 clients to use Configuration Manager as

the primary source for definition updates
In the Configuration Manager
console, expand System Center
Configuration Manager, Computer
Management and Forefront
Endpoint Protection
Then click on the Policies node
Right-click the policy, i. e. ConfigMgr
Server Policy (Coretech), and select

In the Nam e-of-the-policy

Properties window, i.e. ConfigMgr
Server Policy (Coretech)
Properties, click on the Updates tab

Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4.docx

Page 59 of 71

On the Updates tab in the Nam e-ofthe-policy Properties window, i.e.

ConfigMgr Server Policy
(Coretech) Properties, select Use
Configuration Manager as the
primary source for definition
updates check box
Under the Use the following section
to configure alternative sources
heading, in the Every (hours) field,
change the value to 6
Under the Clients will pull updates
from the selected heading,
configure the order in which clients will
pull updates according to your needs
Then click OK
Repeat the above steps for all your FEP
2010 policies where you want to use
Configuration Manager as the primary
source for definition updates

Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4.docx

Page 60 of 71

Configuring the FEP 2010 Definition Update Automation

The following two sections describe how to configure the FEP 2010 Definition Update
Automation tool (softwareupdateautomation.exe):

Automating the execution of the FEP 2010 Definition Update Automation tool using
Task Scheduler (Method 1)

Automating the execution of the FEP 2010 Definition Update Automation tool using
Configuration Manager Status Filter Rules (Method 2)

The FEP 2010 Definition Update Automation tool (softwareupdateautomation.exe) will

automatically check for new FEP 2010 definitions updates against the WSUS server and
download these. It will then update your existing FEP 2010 definition updates Deployment
Package and Deployment and refresh your distribution points.
In order for this to work properly the WSUS server needs to synchronize regularly with
Windows update in order to obtain knowledge of the new FEP 2010 definitions. That is the
reason why both methods use the Event ID 6702 as a trigger to execute the
softwareupdateautomation.exe file.
You must only use one of the described methods when configuring the FEP 2010 Definition
Update Automation tool.

Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4.docx

Page 61 of 71

Automating the execution of the FEP 2010 Definition

Update Automation tool using Task Scheduler (Method
On your Configuration Manager
SUP, click Start, type task
scheduler and then press Enter

In the Task Scheduler window, in the

menu bar, click Action and select
Create Task

Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4.docx

Page 62 of 71

In the Create Task window on the

General tab, configure the following
Name: FEP_Update_Tool
Description: This task will run the
Definition Update Automation tool
for FEP 2010 updates every 1 hour
Run whether user is logged on or
Then click on the Actions tab
Note: The user account used to run
this task must have the appropriate
Configuration Manager permissions to
update the definition package and
definition assignment specified in the
command line
On the Actions tab, click New

Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4.docx

Page 63 of 71

In the New Action window, click

Browse and browse to one of the
following two locations, depending
on your OS architecture:

% P rogram Files% \Microsoft


% P rogram Files(x86)% \Micros

oft Configuration

Then select the

e file and click Open
Still in the New Action window,
type the following information in the
Add arguments (optional) field:
Deploym ent /PackageName
P ackage / R efreshDP
Where Deploym ent is the name of
the software deployment for the
definitions, and Package is the name
of the software package that contains
the definitions

/PackageName FEP2010
DefUpdates /RefreshDP
Then click OK

Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4.docx

Page 64 of 71

Click on the Triggers tab and then

click New

In the New Trigger dialog box, under

Advanced settings, select the check
box for Repeat task every, in the list
click 1 hour, and then next to for a
duration of, click Indefinitely
Then click OK

Still on the Triggers tab, Click New

Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4.docx

Page 65 of 71

In the New Trigger dialog box, in the

Begin the task field, select On an
Under Settings, select the following
from the drop-down box:
Log: Application
Source: SMS Server
In the Event ID field type 6702
Under Advanced settings, ensure
that the Enabled check box is selected
Then click OK twice
In the Task Scheduler password
dialog box, type in the password of the
user account which the task sequence
runs under, then click OK and close
the Task Scheduler

Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4.docx

Page 66 of 71

Automating the execution of the FEP 2010 Definition

Update Automation tool using Configuration Manager
Status Filter Rules (Method 2)
In the Configuration Manager
console, expand System Center
Configuration Manager, Site
Database, <Sitecode - Site
name>, Site Settings
Then right-click the Status Filter
Rules node and select New Status
Filter Rule
On the General page of the New
Status Filter Rule Wizard, type a
name for the new Status Filter Rule,
i.e. FEP 2010 definition update
automation tool
Then select the following fields and
information from the drop-down boxes:
Source: ConfigMgr Server
Message ID: 6702
Then click Next

On the Actions page, select Run a

program, and in the Program
field, type the following information:
"D:\Program Files
(x86)\Microsoft Configuration
"FEPDefUpdates" /RefreshDP
The location of the

Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4.docx

Page 67 of 71

tool is dependent on your OS


% P rogram Files% \Microsoft


% P rogram Files(x86)% \Micros

oft Configuration

Then click Next

On the Summary page, verify the
chosen options and then click Next

On the Wizard Completed page,

verify that the New Status Filter
Wizard completed successfully and
then click Close

Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4.docx

Page 68 of 71

Testing the FEP 2010 Definition Update Automation tool

Back in the Configuration Manager
console, expand Site Database,
Computer Management and
Software Updates
Then right-click the Update
Repository node and select Run

In the Run Update Synchronization

dialog box, select Yes

The WSUS synchronization process can

be monitored by opening the
wsyncmgr.log file on the
Configuration Manager site server
Wait for the WSUS synchronization to
complete before continuing with the
next steps

Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4.docx

Page 69 of 71

Open the Task Scheduler and click

on the Task Scheduler Library in the
left pane.
Then click on the task in the details
pane that you created earlier, i.e.

Still in the details pane of the Task

Scheduler, click on the History tab
and verify that the task was trigger by
the 6702 event.

Open the Event Viewer, expand

Windows Logs and then click on
In the details pane, scroll down until
you find 6702 under the Event ID
Click on the event and verify the
information about this event on the
General tab in the lower part of the
details pane
Then close the Event Viewer

Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4.docx

Page 70 of 71

Browse to %programdata%, i.e.

C:\ProgramData, and open the
file. Look for errors and warnings in the
log file.
You will see something similar to the
message below:
SmsAdminUISnapIn Error 0 :
ContentValid returns true. We wont
download the content again.

This basically means that the FEP 2010

definitions downloaded are up-to-date
and there is no need to download them
again. So it isnt an error for now.
Scroll down to the end of the
file. Look for something similar to the
message below:
SmsAdminUISnapIn Information: 1:SCF
session handle {4dc4531e-96f0-4d9ca990-068100636609} has successfully

This means that the Definition

Update Automation tool has
released the Deployment and
Package used for FEP2010 Definition
Updates and that the automatic update
process is working correctly

Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 v1.4.docx

Page 71 of 71

You might also like