Microsoft Forefront Endpoint Protection 2010

ciggwin

Supreme [H]ardness
Joined
May 30, 2006
Messages
4,861
Announcing Forefront Endpoint Protection 2010!

We are extremely excited to announce that Forefront Endpoint Protection 2010 (FEP) has released to manufacturing! Customers can access the RTM release on the Microsoft Volume Licensing Service Center (VLSC) starting Jan. 1, 2011 -- or try the evaluation version immediately.

This is our first – and very significant – step in making the convergence of desktop security and management a reality. Customers using System Center Configuration Manager 2007 can now quickly and efficiently deploy, configure, manage, update, and report on FEP protections, helping to lower infrastructure costs and improve overall security. And since both products are included in the Enterprise CAL (ECAL), customers who purchase ECAL automatically get access to all the licenses they need to implement the solution. To make deployment easier, FEP will even identify and replace the existing antimalware agents you may have previously installed.

Customers have already begun seeing the advantages of bringing together powerful antimalware protection with their existing infrastructure for deploying, patching, and updating client systems. A large university medical center that participated in our Technology Adoption Program (TAP) said the following about their experience using FEP in their 50,000 desktop environment:

“We’re primarily a paperless organization. We need 100% uptime so that medical records, prescriptions, and all other documentation is available to our healthcare professionals. The single console for Forefront Endpoint Protection 2010 [and System Center Configuration Manager 2007] gives me a view of our whole system and ensures that we can handle threats before they become an issue.”

There are a ton of new features to explore in this new release including award-winning antimalware protection (FEP uses same engine as Microsoft Security Essentials), vulnerability shielding, Windows firewall management, and, of course, integration with System Center Configuration Manager 2007. You can find more product details on our Web site or TechCenter. And for more information about convergence, please visit our new Windows Optimized Desktop page.

We hope that you will give FEP a test drive soon!

Does this mean I should wait to purchase? I was ready to pull the trigger today on Microsoft Forefront Client Security... this is the new and improved (and branded) MFCS. My trial runs out in a few days, so I have a bit of a gap between my trial running out and FEP being released on 1/1/11.

http://www.microsoft.com/forefront/endpoint-protection/en/us/

 
I still hate how they don't make something for the small business people. Need SQL or the SCCM..
 
Yes, you will want to wait.

And it requires SCCM which requires SQL. so you need both :)
 
According to my rep MFCS comes with Software Assurance... but maybe I will install FEP trial for now and wait for 1/1/11 to buy. According to microsoft.com it is going to be cheaper per user @ $8.64 ($12.72 now) - but I don't see anything about a Management Console which is currently $98/year.

 
I verified yesterday that I definately have SA on FCS, but I'm still waiting for FEP to show up in my Licensing Console.

Has it showed up for anyone else yet?
 
I wasn't directly involved with it, but we downloaded RTM and upgraded our RC installs on Monday.
 
I still hate how they don't make something for the small business people. Need SQL or the SCCM..

We're currently running FFCS and would like to upgrade but SCCM is too big for our environment. Now if FFEP would work with SCE, we'd be thrilled.
 
We're currently running FFCS and would like to upgrade but SCCM is too big for our environment. Now if FFEP would work with SCE, we'd be thrilled.

We are about 55 users and I am looking at SCCM 2007 R3 w/ SQL (no SA) for around $1300 and 3 years of FEP licenses for just under $1800. So for 3 years @ 55 users, $3100 isn't bad IMO.

As of today or yesterday it seems their license cost went up from $8.64 to $10.20

 
Last edited:
How good is this forefront stuff? IS it worth the effort to setup?
 
I had it running when I had my 2010 exchange box up, the e-mail accounts were recieving a large number of spam, viruses, ect. For just a few e-mail accounts, forefront did require some hp to run. But it really did stop a lot of the crap in its tracks.
 
I am dong a pilot right now in my env. So far it is working great. Substantially better than the previous version and having it in the sccm console is very nice. If you already have a config manager environment w/ reporting services the setup is extremely easy. Though if you are new to sccm and have no environment You will have alot to setup.
 
I am dong a pilot right now in my env. So far it is working great. Substantially better than the previous version and having it in the sccm console is very nice. If you already have a config manager environment w/ reporting services the setup is extremely easy. Though if you are new to sccm and have no environment You will have alot to setup.

Can you expand on that at all?

Once you get the SCCM set up, how do you get the actual product of Forefront Endpoint Protection on there? And how do you get it to deploy the client to the machines? Is it a GPO like in Forefront Client Security?
 
Can you expand on that at all?

Once you get the SCCM set up, how do you get the actual product of Forefront Endpoint Protection on there? And how do you get it to deploy the client to the machines? Is it a GPO like in Forefront Client Security?

Found answers to many of my basic questions here:
http://technet.microsoft.com/en-us/library/ff823816.aspx

Including finding out that it uninstalls Microsoft Forefront Client Security during the install of the Forefront Endpoint Protection client. :D

 
Can you expand on that at all?

Once you get the SCCM set up, how do you get the actual product of Forefront Endpoint Protection on there? And how do you get it to deploy the client to the machines? Is it a GPO like in Forefront Client Security?

Well you run the installer of course :) But there are many pre-reqs you must have in place inorder for that installer to get past the prereq check stage. The big ones are: You need to be at SP2, you need to have sql reporting services fully setup, and there are a few hotfixes and sql libs you need to have installed as well. As for getting the client on the machines well you go through sccm's software deployment as you would expect. Policies are sent via software deployment as well or can be done via a GPO ADMX for more granularity.

If you have never setup sccm before I would suggest starting there. Setup sccm, test setting up the sccm client on computers and then lean how software distribution works by using collections, packages, distribution points, and advertisements. Once you get that far you will have all the knowledge you need to then deploy the FEP client. Like I said, if you have never touched sccm, there is alot of learning to be had.
 
Got SCCM 2007 R2 SP2 installed, got FEP 2010 installed...
Got my collections working based on OU...
Set up a policy, linked it to the collection...
Created an advertisement...

Shit just sits there. This is the biggest pain in the ass I've ever come across. From installation of SCCM to fixing all the prerequisite issues to getting FEP installed to figuring out how to get the collections working to trying to deploy the client software... I want to tell MSFT to give me my money back. Forefront Client Security was SO EASY - this is like 20 times harder to figure out.

If anyone considers themselves knowledgeable about SCCM 2007 or FEP 2010 ... I am begging you ... please help me. 4.5 hours on it today alone and I am completely stumped.

 
Last edited:
So you have created an advertisement for the fep deployment, targeting a collection that has valid members. Did you set a mandatory assignment on the advertisement? Did you make sure to add the FEP package to your distribution point? Have you deployed the sccm client successfully to your test workstations (manual, gpo, or software update)?
 
I'll try to outline what I did in some detail and include anything I think is relevant...

Installed Forefront Endpoint Protection (FEP) on the SCCM server and opened Configuration Manager Console (CMC). The first thing I did was get the collections working. I had to enable Discovery Methods for System as well as for System Group so I could get the OU information, because I need to create collections based on OU for my deployments. I suppose I don't HAVE to do it this way but it should work this way.

Once the System Group discovery was going I think I was getting results in the "OU Desktops" collection but they were not "Assigned" so I found out that I had to create a Boundary, so I created a Boundary with a type of "Active Directory site". One thing I have considered because I saw it online somewhere is to change this to an IP based Boundary but I have not tried it yet. Once the Boundary was set I refreshed my discovery and my OU Desktops collection and the 5 desktops that are in that OU show up just fine and they are all marked "Yes" in the "Assigned" column.

At this point it was on to tying the FEP policy to the collection. I did this by copying the default policy that ships with FEP, modifying a few things, and renaming it as "Default Computer Policy". So this policy is now tied to my "OU Desktops" collection. Then from reading the documentation on Technet Library I was to right click the collection, choose Distribute, then Software. I did this and went through to create the advertisement. I made it mandatory and I checked the box to add the server as a distribution point. I went through the rest of the setup for that, and everything looked OK. I clicked Finish and waited... but nothing happened.

So to answer your last question, no, I have not deployed anything successfully to my test workstations - is the SCCM client different than the FEP client? Do I need to deploy the SCCM client? I have no idea what that is.

Some logs...

"System Status | Advertisement Status | FEP - Deployment - Install to OU Desktops" has 0 for Received, Failures, Programs Started, Program Success, Program Errors (MIF), Program Success (MIF) and the Summary Date is 2/10/2011 12:43 PM

"Package Status | Microsoft Corporation FEP - Deployment 1.0" has Source Version: 7, Targeted: 1 (I am guessing my SCCM server), Installed: 1 (I am guessing my SCCM server), Retrying: 0, Failed: 0, Summary Date: 2/10/2011 12:43 PM

The last few messages (oldest on bottom) in Package Status:

(2:17 PM) User "xxx\administrator" modified the advertisement properties of an advertisement named "FEP - Deployment - Install to OU Desktops" (BOS20009) advertising program "Install".
(2:16 PM) User "xxx\administrator" modified the advertisement properties of an advertisement named "FEP - Deployment - Install to OU Desktops" (BOS20009) advertising program "Install".
(12:43 PM) SMS Distribution Manager successfully processed package "FEP - Deployment" (package ID = BOS00004).
(12:43 PM) SMS Distribution Manager is beginning to process package "FEP - Deployment" (package ID = BOS00004).
(12:43 PM) SMS Distribution Manager successfully processed package "FEP - Deployment" (package ID = BOS00004).
(12:43 PM) SMS Distribution Manager successfully distributed package "BOS00004" to distribution point "["Display=\\MFEP\"]MSWNET:["SMS_SITE=BOS"]\\MFEP\".
(12:43 PM) SMS Distribution Manager copied package "BOS00004" from "C:\_S Mi76d.TMP\" to "MSWNET:["SMS_SITE=BOS"]\\MFEP\SMSPKGC$\BOS00004\".
(12:43 PM) SMS Distribution Manager decompressed package "BOS00004" from "C:\SMSPKG\BOS00004.PKG" to "C:\_S Mi76d.TMP".
(12:43 PM) SMS Distribution Manager is starting to distribute package "FEP - Deployment" to distribution point "["Display=\\MFEP\"]MSWNET:["SMS_SITE=BOS"]\\MFEP\".
(12:43 PM) SMS Distribution Manager is beginning to process package "FEP - Deployment" (package ID = BOS00004).

One other thing I noticed is that in the collection "FEP Collections" under "Deployment Status" all 5 of these machines are listed as "Not Targeted"

I applied the policy to the Collection... so I have no idea why they are "Not Targeted" for FEP.

ANOTHER PROBLEM I am having is that during "Validating Deployment" (http://technet.microsoft.com/en-us/library/ff823784.aspx) I get stuck on "In the Links and Resources pane, under Web Reports , click Deployment Overview to generate the Deployment Overview report." because when I click "Deployment Overview" it brings up the Report Options window and there is nothing to select in either the "Reporting Services Reporting" drop-down nor is there anything to select in the "Classic Reporting" drop-down. That is, I think, a minor issue at this point, but one that I will eventually need to solve.

 
I moved my conversation with ciggwin to private channels as setup from a fresh sccm is very involving. If anyone is also setting this up and needs help throw me a pm.
 
Back
Top