In this tutorial you will learn how to deploy and configure Forefront Endpoint Protection (FEP) 2012 with System Center Configuration Manager (SCCM) 2012.

In Part 1, we installed FEP 2012 on the SCCM 2012 server. Now, it’s time to see what changes have been made to the SCCM environment so that we can deploy and configure the FEP environment.

The FEP installation makes a number of changes and additions to the SCCM console. In no particular order they are:

  • Software Library – Packages – FEP Deployment
  • Software Library – Packages – FEP Operations
  • Software Library – Packages – FEP Policies
  • Monitoring – Reporting – Report – Forefront Endpoint Protection (10 new reports)
  • Monitoring – FEP Status
  • Assets and Compliance – Device Collections – FEP Collections (24 new collections)
  • Assets and Compliance – Compliance Settings – Configuration Items (24 new items)
  • Assets and Compliance – Compliance Settings – Baselines (8 new baselines)
  • Assets and Compliance – FEP Policies



To get the FEP client out and installed in your SCCM environment, the first stop is to the FEP Deployment packages in the Software Library, and the Program we’re interested in is “Install”.


The FEP 2012 server installation automatically creates programs for deployment

By default this package can’t be integrated into as OSD task sequence because it’s configured to run only when a user is logged on. To change this (without impacting any other functionality):

  1. Right-click the “Install” program and select Properties
  2. Go to the Environment tab
  3. Change the “Program can run” value to “Whether or not a user is logged on” from the dropdown list
  4. Hit Apply and OK

Forefront Endpoint Protection 2012 Deployment 2

Modify the FEP 2012 install program to support SCCM OSD

Now, to deploy the FEP 2012 client via an OSD task sequence, simple edit the task sequence and select Add – General – Install Package. Then select the “Microsoft Corporation FEP - Deployment 1.0” package and the “Install” program. Position the step somewhere near the end of the sequence, and then hit Apply and OK to save the changes. FEP 2012 will now be installed on all new installation of this OSD task sequence.

Forefront Endpoint Protection 2012 Deployment 3

Create an OSD step to deploy FEP as a base SOE application

To deploy FEP outside of an OSD task sequence, simply create a new deployment for the “Install” program. To do this:

  1. Right-click on “Install” and select “Deploy”
  2. Select an appropriate collection and Distribution Point
  3. Choose the deployment priority
  4. Choose an appropriate deployment schedule
  5. Finalize the wizard

By default, the installation program does not display a UI, so your users won’t be confronted with popup windows, thus sparking frantic calls to the helpdesk.


Now that FEP 2012 is installed, how does it behave and how do you control it?

FEP functionality works via workstation collection membership – default policies are deployed via the Software Library to collections whose membership is kept up-to-date dynamically via SCCM discovery methods. Admins don’t actually need to do anything to ensure that FEP is deployed and updated correctly, as there’s enough default functionality in the system to guarantee that this happens automatically. Here’s how the process works:

  1. Using OSD or a standalone deployment, the FEP 2012 client is distributed to workstations and/or servers
  2. Using a WQL query, two device collections dynamically update membership based on FEP installations. These collections are:
    1. Desktops Deployed with FEP
    2. Servers Deployed with FEP
  3. Using cscript.exe, default FEP policies are deployed via the Software Library as programs. These deployments are automatically set up during the FEP 2012 server installation so they’re ready to go from the outset.
    1. “Default Desktop Policy” is deployed to “Desktops Deployed with FEP”
    2. Default Server Policy” is deployed to “Server Deployed with FEP”

The default policies are located at Assets and Compliance – FEP Policies, and handle every aspect of FEP client functionality, including definition and client updates.

Forefront Endpoint Protection 2012 Configuration

Default FEP policies centrally control every aspect of the client

By default, the client is directed to look at WSUS and Windows Update for updates, so as long as the workstation or server has access to either a WSUS server or the internet, the FEP client won’t be allowed to be deployed without also being fully up-to-date.


  1. MZ 12 years ago

    Thanks for the quick FREE tutorial. Very nice to see SCCM 2012 also, look forward to more on FEP.

  2. theharveyman 12 years ago


    When I try to add the FEP deployment package to an OSD task sequence, I can select the package, but no programs show to select (drop down is blank and I can’t select anything). But the install program does show in the properties of the package. Any ideas?


  3. theharveyman 12 years ago

    I figured it out. I had to uncheck the box that says Allow Users To Interact With This Program.

  4. CypherBit 11 years ago

    Thank you for this two part tutorial. Can you perhaps provide some addtional information regarding licensing. If I only need FEP with no additional functionality from the SC 2012 suite, can I just get a Standard license install SCCM in a VM and get the FEP CAL’s for our desktops, servers.

    How does deployment work in this case, since I don’t have SCCM CAL’s? BTW where does SCOM come in is it at all needed for FEP?

Leave a reply

Your email address will not be published. Required fields are marked *


© 4sysops 2006 - 2023


Please ask IT administration questions in the forums. Any other messages are welcome.


Log in with your credentials


Forgot your details?

Create Account