Forefront Endpoint Protection (FEP) 2012 – Part 2: Deployment and configuration

In Part 1, we installed FEP 2012 on the SCCM 2012 server. Now, it's time to see what changes have been made to the SCCM environment so that we can deploy and configure the FEP environment.

The FEP installation makes a number of changes and additions to the SCCM console. In no particular order they are:

• Software Library – Packages – FEP Deployment
• Software Library – Packages – FEP Operations
• Software Library – Packages – FEP Policies
• Monitoring – Reporting – Report – Forefront Endpoint Protection (10 new reports)
• Monitoring – FEP Status
• Assets and Compliance – Device Collections – FEP Collections (24 new collections)
• Assets and Compliance – Compliance Settings – Configuration Items (24 new items)
• Assets and Compliance – Compliance Settings – Baselines (8 new baselines)
• Assets and Compliance – FEP Policies

  Deployment

  To get the FEP client out and installed in your SCCM environment, the first stop is to the FEP Deployment packages in the Software Library, and the Program we're interested in is "Install".

  

  The FEP 2012 server installation automatically creates programs for deployment

  By default this package can't be integrated into as OSD task sequence because it's configured to run only when a user is logged on. To change this (without impacting any other functionality):

1. Right-click the "Install" program and select Properties
2. Go to the Environment tab
3. Change the "Program can run" value to "Whether or not a user is logged on" from the dropdown list
4. Hit Apply and OK

Modify the FEP 2012 install program to support SCCM OSD

Now, to deploy the FEP 2012 client via an OSD task sequence, simple edit the task sequence and select Add – General – Install Package. Then select the "Microsoft Corporation FEP – Deployment 1.0" package and the "Install" program. Position the step somewhere near the end of the sequence, and then hit Apply and OK to save the changes. FEP 2012 will now be installed on all new installation of this OSD task sequence.

Create an OSD step to deploy FEP as a base SOE application

To deploy FEP outside of an OSD task sequence, simply create a new deployment for the "Install" program. To do this:

1. Right-click on "Install" and select "Deploy"
2. Select an appropriate collection and Distribution Point
3. Choose the deployment priority
4. Choose an appropriate deployment schedule
5. Finalize the wizard

By default, the installation program does not display a UI, so your users won't be confronted with popup windows, thus sparking frantic calls to the helpdesk.

Configuration

Now that FEP 2012 is installed, how does it behave and how do you control it?

FEP functionality works via workstation collection membership – default policies are deployed via the Software Library to collections whose membership is kept up-to-date dynamically via SCCM discovery methods. Admins don't actually need to do anything to ensure that FEP is deployed and updated correctly, as there's enough default functionality in the system to guarantee that this happens automatically. Here's how the process works:

1. Using OSD or a standalone deployment, the FEP 2012 client is distributed to workstations and/or servers
2. Using a WQL query, two device collections dynamically update membership based on FEP installations. These collections are:
   1. Desktops Deployed with FEP
   2. Servers Deployed with FEP
3. Using cscript.exe, default FEP policies are deployed via the Software Library as programs. These deployments are automatically set up during the FEP 2012 server installation so they're ready to go from the outset.
   1. "Default Desktop Policy" is deployed to "Desktops Deployed with FEP"
   2. Default Server Policy" is deployed to "Server Deployed with FEP"

The default policies are located at Assets and Compliance – FEP Policies, and handle every aspect of FEP client functionality, including definition and client updates.

Default FEP policies centrally control every aspect of the client

By default, the client is directed to look at WSUS and Windows Update for updates, so as long as the workstation or server has access to either a WSUS server or the internet, the FEP client won't be allowed to be deployed without also being fully up-to-date.

Now that FEP is deployed and functional, watch out for Part Three where we'll look at how you can actively ensure that your fleet stays updated and protected.