By Alon Rosental
So now that you’ve downloaded Forefront Endpoint Protection Beta 2010, the next step would be to plan your deployment and get the Forefront Client in your Configuration Manager environment.
This post will focus on how to deploy Forefront Endpoint Protection client to a collection of computers using your existing Configuration Manager infrastructure, how to switch to Forefront Endpoint Protection from an existing deployed antimalware product and how to validate client deployment.
Before deploying Forefront Endpoint Protection in your environment, it is recommended that you review the planning and architecture guide. Also, please refer to the installation guide for information on how to install Forefront Endpoint Protection in your existing Configuration Manager environment.
Note: if you’re interested in manually deploying Forefront Endpoint Protection client to machines that are not managed using Configuration Manager, please refer to the manual deployment instructions.
Once you have installed Forefront Endpoint Protection in your Configuration Manager environment, you are now able to perform a set of additional tasks using the existing configuration Manager infrastructure:
- Deploy Forefront Endpoint Protection clients to collections
- Create or modify Forefront Endpoint Protection policies
- Assign Forefront Endpoint Protection policies to collections
- Monitor Forefront Endpoint Protection via the Forefront Endpoint Protection dashboard
- Configure Forefront Endpoint Protection alerts
Overview of client deployment
Deployment of Forefront Endpoint Protection to clients is comprised of the following set of tasks:
- Create policies - author polices according to organization requirements, set the precedence of policies, and then assign the policies to a collection of computers. For more information see Creating and Deploying Policies
- Create an advertisement for the Forefront Endpoint Protection Install program for a designated group of computers, and configure the advertisement settings to control schedule and recurrence
- Track the deployment progress and verify deployment succeeded
Once you have completed the tasks of policy creation and assignment, you’re ready to deploy Forefront Endpoint Protection client to computers.
But then again, what happens if you there’s a different antimalware product deployed on the computers you’re targeting that needs to be replaced with Forefront Endpoint Protection client?
In case the designated computers are already running a previous version of Forefront Client Security or a different 3rd party antimalware product, Forefront Endpoint Protection client setup will uninstall these clients prior to installation.
This automation is intended to simplify and reduce the cost of the deployment process by eliminating the need to author custom scripts to orchestrate the process of replacing products.
Forefront Endpoint Protection detects and attempts to uninstall the following products:
- Symantec Endpoint Protection version 11
- Symantec Endpoint Protection Small Business Edition version 12
- Symantec Corporate Edition version 10
- McAfee VirusScan Enterprise version 8.7 and version 8.5
- TrendMicro OfficeScan version 8.0 and version 10.0
- Forefront Client Security version 1
Deployment Integration with Configuration Manager
This release of Forefront Endpoint Protection includes a Configuration Manager package that contains the Forefront Endpoint Protection client installation program. To deploy the Forefront Endpoint Protection package, you can use the Configuration Manager Software Distribution functionality, propagate the package data to one or more distribution points, and then create advertisements that specify which collections will receive the program and the package.
Advertising the program makes a program available to a specified collection of clients. It is strongly recommended that you test advertised programs in a controlled environment before you create advertisements for the clients in your site hierarchy.
There are multiple ways to distribute the Forefront Endpoint Protection client software to client computers using the Configuration Manager tools. This post provides the steps for one of the deployment methods. For information about other distributions methods, see Software Distribution in Configuration Manager
Step by step deployment instructions
- In the Configuration Manager console, expand System Center Configuration Manager, expand Site Database, expand Computer Management, and then click Collections.
- Right-click the collection to which you want to deploy clients, for example, All Systems, point to Distribute, and then click Software.
- The Distribute Software to Collection Wizard opens.
- On the Welcome page, click Next.
- On the Package page, click Select an existing package, click Browse, click the Microsoft Corporation Forefront Endpoint Protection 2010 – Deployment 1.0 All package, click OK, and then click Next.
- On the Distribution Points page, select the distribution points for the package, and then click Next.
- Configuration Manager uses distribution points to store the files needed by the Forefront Endpoint Protection client installation package in order for the installation program to run on client computers. In essence, they function as distribution centers for the files that the Forefront Endpoint Protection client installation package uses, allowing users to download and run the installation program when the package is advertised. For more information, see About Distribution Points.
- On the Select Program page, select the Install program, and then click Next.
- On the Advertisement Name page, enter a name that is less than 100 characters, and then click Next.
- On the Advertisement Sub collection page and on the Advertisement Schedule page, make your selections, and then click Next.
- On the Assign Program page, select Yes, assign the program and select the Ignore maintenance windows when running program check box, and then click Next.
- On the Summary page, review the Details, and then click Next.
- On the Wizard Completed page, click Close.
- If necessary, modify the advertisement configuration to suit your environment. You might want to do this in order to set the program rerun behavior to a value other than the default, rerun if failed previous. For information, see How to Modify an Advertisement.
Once you’ve deployed the Forefront Endpoint Protection clients, the next step would be to track the deployment progress and verify that deployment succeeded.
To read additional information about installing and configuring FEP, see the TechNet documentation (http://technet.microsoft.com/en-us/library/ff823816.aspx).
- Prior to deploying Forefront Endpoint Protection, verify that you have configured WSUS so that it is synchronizing Updates and Definition Updates. After updates have been synchronized to your WSUS server, clients can connect to the WSUS server to check for applicable updates. Updates will only be offered to clients when they are approved for installation and when the binary download is completed on the WSUS server. Approve the updates for all computers to which you will deploy Forefront Endpoint Protection by configuring an automatic approval rule.
- If you are using a mechanism to automatically distribute and install an antimalware solution to your client computers, you need to disable automatic installation before you install Forefront Endpoint Protection. For example, if you use WSUS to distribute Forefront Client Security (FCS) to your endpoints, before you install Forefront Endpoint Protection, you need to configure WSUS to not automatically reinstall FCS.
Tracking and verifying deployment
To verify that your installation was successful, do the following:
- On the computer where you installed Forefront Endpoint Protection, Click Start, click Control Panel, click Programs, click Programs and Features, and then verify that Microsoft Forefront Endpoint Protection 2010 is listed.
- On the computer running Configuration Manager, in the Configuration Manager console, expand System Center Configuration Manager, expand Site Database, expand System Status, select Advertisement Status, and then review the statistics of the following advertisements:
- Forefront Endpoint Protection 2010 – Deployment - Install to <Target Collection Name>
- Assign FOREFRONT ENDPOINT PROTECTION Policy <Policy Name> to collection <Target Collection Name>
Advertisement statistics are based on data gathered by Configuration Manager at scheduled intervals, and may not reflect the most recent Forefront Endpoint Protection Client deployment information.
- In the Configuration Manager console, expand System Center Configuration Manager, expand Site Database, expand Computer Management, click Forefront Endpoint Protection 2010, and then review the Clients Deployment Status report.
Dashboard statistics are based on data gathered by Configuration Manager at scheduled intervals, and may not reflect the most recent Forefront Endpoint Protection Client deployment information.
Looking forward to your feedback - head over to the TechNet forums (http://social.technet.microsoft.com/Forums/en-us/FCSNext/threads) to let us know what you think.
Alon Rosental, Program Manager – Forefront Endpoint Protection