If you have local administrators they might uninstall Forefront Endpoint Protection 2010 from their system, to keep track of this and automatically remediating this. Then you have the option to advertise a FEP installation to the built-in collection for FEP called “Locally Removed”. So if a user uninstalls the client they will get it automatically again.
Don’t forget to set the advertisement to always rerun. Its also a good idea to keep track of the advertisement to make sure you don’t have clients that end up in a loop.
Note: I have seen some cases where there is an issue with clients ending up in this collection without having the client uninstalled. Usually triggering a Hardware Inventory resolves this.
As some of you might have noticed there is no Tamper protection with Forefront Endpoint Protection 2010. So how would you handle this in your environment ?
Usually the issue comes if you have your users as local administrators on their PCs they have full control over their PC.
So there are different ways to go around this. My first way to handle this is to configure a GPO that controls the Microsoft Antimalware Service. And set the Service to automatically start and only your real administrators to have the Start and Stop Rights.
My option 2 is to have a advertisement with a reoccurring script or startup script to set the service to start automatically and start the service it if its stopped. The target is the Built-in Collection
strComputer = "."
Set objWMIService = GetObject("winmgmts:" & strComputer & "rootcimv2")
Set colServiceList = objWMIService.ExecQuery _
("Select * from Win32_Service where Name = ‘MsMpSvc’")
For Each objService in colServiceList
errReturnCode = objService.StartService()
Quite frequently the question where do I see what the latest release definition updates are from Microsoft. Sometime you want to compare and check so you have the latest definitions in your environent.
At the url posted below you will find the latest information about definitions and the ability to download them manually.
After the session I got some questions regarding the MOM Agent for the FCS Client when upgrading. Apparently my tongue slipped and I misstated the behavior of the MOM Agent uninstallation. My apologies for that.
The intended action is that the MOM Agent should get uninstalled although there has been some minor issues detected with this. But the normal behavior should be that the MOM Agent should get uninstalled! Although if the MOM agent is multihomed uninstallation will prompt for this. If you encounter the behavior where the client is not uninstalled please contact Microsoft Support.
Below you will find a link with the presentation as promised. At the end you will find the links discussed in the presentation. For those of you who have other question feel free to contact me.
I forgot to mention our Swedish based System Center User Group that is found @ www.scug.se
ALL CODE IS PROVIDED AS IS WITH NO WARRANTIES
Presentation: Managing Forefront Endpoint Protection with System Center Configuration Manager
Forefont can use Microsoft Update to get definitions and sometime you need to open proxy servers and firewalls for this. It is not a must to use this source but if you are using this method , I have posted a list below of known urls for Microsoft Update that you can exclude or allow in your proxy or firewall.
If you have viruses or malware that hasn’t been detected by Forefront Endpoint Protection, you can use this link below to submit samples for analysis.
The answer is it depends, this information is from a icrosoft presentation and the information may change without further notice.
Microsoft reset the definition updates through a process they call ‘re-base’ – currently once a month as part of the engine release
Today there are 4 types of packages which can be used to update FEP clients
- Full (~55MB)
The full signature set (called the base) + any signatures since the last engine release (delta)Most recent engine
- Delta (ranges from ~200KB to ~5MB)
Contains the incremental signatures added since the last engine release (rebase).
- Binary Delta Engine (BDE) (ranges from ~2MB to ~15MB)
Binary diff of the previous base and engine with current base and engine plus the current incremental delta of signatures
- Binary Delta Delta (BDD) (ranges from ~100KB to ~1MB)
BDD package is different than Delta package since it will offer differential content from the previous release. Hence only new content is offered to the user.
All three package types are available on MU
Only Full packages are available on the Download Center
Internal detection logic allows each client to download the smallest package size available
The more up-to-date the client, the smaller package that client needs to download.
- First install or really out-dated (>2 engine releases behind) => Full package
- Older signatures, old engine => BDE package
- signature > 36h, current engine => delta package
- signature < 36h, current engine => bdd package
If you want to track definitions and se how your client behaves have alook in this folder (Win7)
ProgramDataMicrosoftMicrosoft AntimalwareDefinition UpdatesBackup
Below is a list of good links when you start deploying Forefront Endpoint Protection
The question came up today how can I see what policy that is applied to a local client on the local client itself ?
There are atleast 2 ways of doing this
1. GUI Option
Open the FEP Client
Press the little arrow to the right of Help and choose About Forefront Endpoint Protection
The About Screen will show up and at the bottom you see the applied policy.
2. Registry Option
The second way is to look into the registry on this or the following registy key and String
HKEY_LOCAL_MACHINESOFTWAREMicrosoftMicrosoft Security Client
”LastSuccessfullyAppliedPolicy”=”Default Desktop Policy”
You may also lookinto the log file on the client to troubleshoot eventuel errors for applying the policy and the log files is listed below:
Replace MACHINENAME with the local computername
I have seen some question on the forums and heard from customers , is it possible to change the retention period on the databas how long data is saved for Forefront Endpoint Protection Managed by ConfigMgr, so I tried to find the information and I found it so Id though id share the information with you.
You need to open the SQL Management Studio and execute the following command on your FEP DW Database
XXX Corresponds to your ConfigMgr SiteCode and value is the retention period a value between 3 and 12 (months)
EXEC FEPDW_XXX.dbo.spAN_Common_Report_UpdateMaintenanceConfiguration value
So for a site with sitecode P01 and I want to keep tha data for 3 months its this command to execute.
EXEC FEPDW_P01.dbo.spAN_Common_Report_UpdateMaintenanceConfiguration 3