This tutorial describes how to integrate Forefront Endpoint Protection (FEP) 2012 in System Center Configuration Manager (SCCM) 2012.

With the move away from Forefront Client Security to Forefront Endpoint Protection, Microsoft did away with the MOM backend and instead made use of the infrastructure available to System Center Configuration Manager to install, manage and deploy FEP.

Forefront Endpoint Protection Installation- Configuration Manager Integration

In spite of the similarities of the underlying infrastructure between SCCM 2007 and SCCM 2012, FEP 2010 does not integrate with SCCM 2012 because one of the installation prerequisites is the presence of the SCCM 2007 administrative console. From discussions with product experts within Microsoft, it seems that FEP 2010 will not be updated to install on SCCM 2012, so FEP 2012 (which is in beta at the time of writing) will be the first enterprise AV product from Microsoft which will integrate fully with SCCM 2012.

Installing Forefront Endpoint Protection 2012 ^

Forefront Endpoint Protection 2012 is currently in beta and can be downloaded directly from Microsoft.

To install FEP 2012, you’ll need to have SCCM 2012 installed and configured. In addition, the SQL server which is acting as the SCCM site database server must also have installed/enabled:

  • .NET Framework 4.0 on both the SCCM and SQL servers
  • Microsoft IIS (default role properties)
  • Microsoft SQL Analysis services
  • Microsoft SQL Reporting services
  • Reporting services point site system role installed on the SQL server via the SCCM 2012 console

Additionally, the IIS server needs an appropriate certificate to run SSL on port 443, so that the reporting services URL and the SQL TCP connection can be secured.

This installation was run in a lab environment running on Hyper-V.

From the SCCM server, run the serversetup.exe from the folder which relates to the appropriate operating system type (ie: 32-bit or 64-bit), then fill in the identification information:

Forefront Endpoint Protection Installation - Name and Organization

Forefront Endpoint Protection 2012 Installation – Name and Organization

Then, be incredibly conscientious and read the EULA (or not):

Forefront Endpoint Protection 2012 Installation - EULA

Forefront Endpoint Protection 2012 Installation – EULA

Next, choose the installation type. The “Basic topology” option installs everything you’ll need for a full FEP environment, including server and console extensions as well as reporting services and reports. Additionally, this installation makes use of the existing SCCM environment to target the right servers (eg: SQL server). There may be times when you would want to target different SQL servers or perform a fully customised installation, but for our lab purposes the “Basic topology” option is sufficient.

Forefront Endpoint Protection 2012 - Installation Installation Options

Forefront Endpoint Protection 2012 – Installation Options

Next, make sure that the SQL Reporting Server URL is correct, and select an account with sufficient access to run reports. In the lab environment I used a domain admin account which isn’t recommended in an enterprise environment.

Forefront Endpoint Protection - Installation Reporting Configuration

Caption: FEP 2012 Installation – SQL report execution account

It’s worth ensuring that the system is using Windows Update to automatically keep FEP 2012 up-to-date (the FEP 2012 client will also be installed on the system as part of the installation) and joining the Customer Experience Improvement Program (CEIP) is always worth it – Microsoft does actually receive the information and uses the metrics to improve current and future products.

Forefront Endpoint Protection Installation - Updates and Customer Experience Options

Forefront Endpoint Protection Installation - Updates and Customer Experience Options

For the same reason, it’s worth signing up to Microsoft SpyNet:

Forefront Endpoint Protection Installation - SpyNet Configuration Policy

Forefront Endpoint Protection Installation - SpyNet Configuration Policy

Before commencing the installation, serversetup.exe will run through all the prerequisites and verify that the environment is correct. If any check fails, the issue as well as the documented fix will be displayed in the console. At this point you can remediate the issue and simply re-run the checker – you don’t need to start the installation process over again.

Forefront Endpoint Protection Installation - Prerequisite Verification

Forefront Endpoint Protection Installation - Prerequisite Verification

Once all the prerequisites are met, installation starts.

Forefront Endpoint Protection Installation - Installation

Forefront Endpoint Protection Installation - Installation

Once complete, you’ll now have FEP 2012 functionality integrated into the SCCM 2012 console. In the Monitoring → FEP Status screen you get an overview of the health of your organization, in Reporting there is now a Forefront Endpoint Protection folder with pre-defined reports, and in Software Library the FEP 2012 client is available for deployment.

Forefront Endpoint Protection Installation- Configuration Manager Integration

Forefront Endpoint Protection Installation- Configuration Manager Integration

In Part Two we will look at deploying the FEP client, enforcing compliance in your organization and reporting on the health of your workstations.

0
1 Comment
  1. Scott R Davis 10 years ago

    You might want to add a note after the last step that FEP Status will only show on the server or computers with the extension for FEP installed.

    0

Leave a reply

Please enclose code in pre tags

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2021

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account