Forefront Endpoint Protection. Jack Cobben

Forefront Endpoint Protection Jack Cobben

Page number 1 1. Contents 2. Release Notes... 8 Microsoft Forefront Endpoint Protection 2010... 8 Running a repair on Microsoft Forefront Endpoint Protection 2010 reporting fails... 8 X-axis labels not displaying properly for the Antimalware Protection Summary report... 8 Managing the Customer Experience Improvement Program setting on the Forefront Endpoint Protection server... 9 Microsoft Forefront Endpoint Protection 2010 Client Software... 9 Managing the Customer Experience Improvement Program setting on Forefront Endpoint Protection clients... 9 Operating system upgrade... 9 Custom scan on virtual drives in Windows XP... 10 Forefront Endpoint Protection does not uninstall Symantec on computers running x64 operating systems... 10 Forefront Endpoint Protection Client stops reporting malware activity when the System Event Log is full... 10 3. Overview... 10 Why Use Forefront Endpoint Protection... 11 Easy to Deploy... 11 Easy to Manage... 11 Unified Protection... 12 Decision Considerations for FEP and the FEP Security Management Pack... 12 4. Dashboard Overview... 14 5. Reports Overview... 16 6. System Requirements... 18 Prerequisites for Installing Forefront Endpoint Protection on a Server... 18 Forefront Endpoint Protection Server Prerequisites... 18 Forefront Endpoint Protection Console Prerequisites... 23 Prerequisites for Deploying Forefront Endpoint Protection on a Client... 23 Prerequisites for Importing the Forefront Endpoint Protection Security Management Pack... 25 7. Getting Started... 25 Getting Assistance... 26 Where to find Forefront Endpoint Protection Help and Assistance:... 26 Providing Feedback... 27 Release Notes

Page number 2 8. Planning and Architecture... 27 Forefront Endpoint Protection 2010... 27 Forefront Endpoint Protection and High Availability... 28 About Configuration Manager Site Topologies and FEP 2010... 29 Single-Site Deployment... 29 Hierarchical Deployment... 29 Forefront Endpoint Protection Installed on the Parent and Child Sites... 30 Forefront Endpoint Protection Installed on the Child Sites... 31 About Basic Setup... 32 Basic Topology... 33 About Basic with Remote Reporting Database Setup... 33 Basic Topology with Remote Reporting Database... 33 FEP 2010 Security Management Pack... 34 Forefront Endpoint Protection Client... 34 Policies... 35 System Requirements... 35 Competitive Uninstall... 35 Forefront Endpoint Protection Client Deployment Options... 36 Definition Updates... 36 About Configuring Clients by Using Policies... 37 Creating and Configuring Policies... 37 Deploying Policies... 38 Planning for Definition Updates... 41 Migrating from Forefront Client Security to Forefront Endpoint Protection... 42 Client Update for Microsoft Forefront Client Security (1.0.xxxx.0)... 42 9. Server Installation... 43 FEP 2010... 43 Overview of Installing Forefront Endpoint Protection... 43 Installation Options... 45 Installing Using Basic Setup... 45 Prerequisites... 46 Installing Using Basic with a Remote Reporting Database Setup... 48 Installing Using Advanced Setup... 50 Release Notes

Page number 3 Validating Installation... 56 Configuring the Client Software on a Configuration Manager Site Server... 59 Moving from a Public RC Version to a Retail Version... 61 Uninstalling... 63 FEP 2010 Security Management Pack... 64 Overview of Installing the Forefront Endpoint Protection Security Management Pack... 65 About Agents... 65 Extracting the FEP 2010 Security Management Pack Files... 66 Importing the FEP 2010 Security Management Pack... 67 Configuring Client Discovery... 68 Create a New Management Pack for Customizations... 69 10. Client Deployment... 70 Overview of Deploying Forefront Endpoint Protection... 70 FEP 2010... 70 Deploying by Using Configuration Manager Packages... 72 Deploying Manually... 74 Deploying the Client Software by Using the Command Prompt... 75 Validating Deployment... 76 Uninstalling... 78 Enforcing the Client Software Deployment... 80 Deploying the FEP Client Software to a FEP Collection... 80 To create a reinstall advertisement... 81 11. Operations... 82 Configuring Client Settings by Using Policies... 82 FEP Policies... 83 Creating a Policy... 83 Duplicating a Policy... 84 Editing a Policy... 85 Exporting a Policy... 87 Importing a Policy... 88 Setting Policy Precedence... 88 Assigning a Policy to Endpoint Computers... 89 Using Group Policy with FEP... 91 Release Notes

Page number 4 Converting FEP Policies to Group Policy... 91 Merging Settings from Multiple Policy Files... 92 Exporting Policy Settings to a FEP Policy File... 94 Configuring and Viewing FEP Group Policy Settings... 94 FEP Policy Templates... 96 About Preconfigured Policy Templates... 96 Applying Policies from the Command Prompt... 98 Updating Policies from the Command Prompt... 101 Common Tasks... 102 Running an Endpoint Protection Scan... 102 Managing Windows Firewall Protection... 104 Retrieving the Effective Endpoint Protection Settings... 106 Forcing Definition Updates... 106 Configuring Definition Updates... 108 Configuring Update Synchronization... 109 Microsoft Update Definition Updates... 111 File-Share-Based Definition Updates... 111 FEP Monitoring... 113 Monitoring Client Status by Using the Dashboard... 114 Using Alerts to Monitor Malware Detections... 116 Using Desired Configuration Management to Monitor Client Compliance... 120 FEP 2010 Security Management Pack Monitoring... 125 Security Considerations... 127 Health Rollup... 127 Object Classes... 129 About Discovery... 130 About Views... 132 About Monitors... 133 Monitoring Using Overrides... 134 About Rules... 135 About Alerts... 136 About Tasks... 136 Placing Objects in Maintenance Mode... 138 Release Notes

Page number 5 Configuring Notification Settings... 138 FEP 2010 Reports... 138 Forefront Endpoint Protection Security Reports... 138 Command options... 141 Operational Reports... 141 Displaying Computers Infected by a Specific Malware... 144 Displaying Recent Malware Infections... 145 Subscribing to Reports... 145 FEP 2010 Security Management Pack Reporting... 146 FEP Health and Deployment Status Schema... 146 FEP Security Incidents schema... 149 Disaster Recovery for FEP 2010 on Configuration Manager... 155 Backup... 155 Restore... 156 Automating Day-to-Day Tasks by Using Windows PowerShell... 157 Deploying or Removing the FEP Client Software... 157 Assigning and Unassigning FEP Policies to Collections... 159 Automating Desired Configuration Management... 163 Automating the FEP Dashboard... 167 Automating Tasks on Client Computers... 170 Automating FEP Reports... 174 12. Troubleshooting... 177 Using the FEP Best Practices Analyzer... 178 Troubleshooting FEP and Configuration Manager... 179 FEP Log Files... 180 Troubleshooting the FEP Security Management Pack and Operations Manager... 182 13. Technical Reference... 183 FEP 2010 Policy - Default Settings... 183 Antimalware Settings... 183 Updates Settings... 193 Windows Firewall Settings... 194 Security Management Pack Monitors... 195 Forefront Endpoint Protection 2010 Security Management Pack Monitors... 195 Release Notes

Page number 6 Security Management Pack Tasks... 196 Forefront Endpoint Protection 2010 Security Management Pack Tasks... 196 FEP ADMX Reference... 198 FEP2010 Client Help... 231 Welcome to Microsoft Forefront Endpoint Protection... 231 Why do I need antivirus and antispyware software?... 232 How can I tell if my computer is infected with malicious software?... 233 What should I do if Forefront Endpoint Protection detects malicious software on my computer?... 233 Using Forefront Endpoint Protection to remove potentially harmful software... 234 Frequently asked questions about malicious software... 235 How to help prevent malicious software infections... 236 How to help prevent malicious software infections... 237 Getting started... 237 Understanding alert levels... 237 What are recommended actions?... 239 Applying default actions to detected items... 239 Scanning for viruses, spyware, and other potentially unwanted software... 239 To scan the areas of your computer that malicious software is most likely to infect (Quick scan)... 240 To scan all areas of your computer (Full scan)... 240 To scan specific areas of your computer only (Custom scan)... 240 Running a custom scan... 240 To scan a specific file or folder (right-click scan)... 240 Running a right-click scan... 240 Scheduling scans... 240 When is the best time to run a scan on my computer?... 241 Responding to potential threats after a scan... 242 How can I view a scan's progress?... 242 What are advanced scanning options?... 242 Excluding items from a scan... 243 What's real-time protection?... 244 Understanding real-time protection options... 244 Turning real-time protection on and off... 245 Release Notes

Page number 7 How do I know that Forefront Endpoint Protection is running on my computer?... 246 How to set up Forefront Endpoint Protection alerts... 247 What are virus and spyware definitions?... 247 How do I keep virus and spyware definitions up to date?... 247 Running a scan using the latest updates... 248 How do I remove or restore items quarantined by Forefront Endpoint Protection?... 248 To remove or restore quarantined items... 248 How do I add or remove items from the Forefront Endpoint Protection allowed list?... 249 How do I view or clear the history in Forefront Endpoint Protection?... 249 What if I want to download or run a program that Forefront Endpoint Protection detects as potentially harmful?... 250 Privacy settings for detected items... 250 What is the Microsoft SpyNet Community?... 251 Reporting suspicious software to Microsoft SpyNet... 251 Changing your Microsoft SpyNet community membership... 251 Where can I find the Forefront Endpoint Protection privacy statement?... 252 Where can I find the Forefront Endpoint Protection license agreement?... 252 Troubleshooting... 252 Troubleshooting Update Issues... 252 I can't start the Forefront Endpoint Protection service... 255 I can't install Forefront Endpoint Protection... 257 I can't connect to the Internet issue (General topic)... 260 Error 0x8******* encountered while virus and spyware definition updates or product upgrades... 262 Forefront Endpoint Protection detects a threat but can't remediate it... 262 Release Notes

Page number 8 2. Release Notes These release notes contain information that is required to successfully install, deploy and use Microsoft Forefront Endpoint Protection. They contain information that is not available in the product documentation. Microsoft Forefront Endpoint Protection 2010 Running a repair on Microsoft Forefront Endpoint Protection 2010 reporting fails The user account used to run a repair on Forefront Endpoint Protection Reporting must be assigned the Content Manager SQL Server Reporting Services role. For more information about the Content Manager SQL Server Reporting role, see Content Manager Role (http://go.microsoft.com/fwlink/?linkid=207653) in the SQL Server Books Online. Note: When User Account Control (UAC) is enabled on the SQL Server Reporting Services server, the role assignment cannot be inherited from the following groups or repair will fail: Administrators local group Domain Administrators domain group X-axis labels not displaying properly for the Antimalware Protection Summary report In some circumstances, when running the Antimalware Protection Summary report, the x-axis labels do not display properly. This occurs only when running Microsoft SQL Server 2008 or SQL Server 2008 R2 reporting services. Install one of the following SQL Server cumulative updates to fix the report: Cumulative Update package 3 for SQL Server 2008 R2 (http://go.microsoft.com/fwlink/?linkid=204839) Cumulative update package 10 for SQL 2008 Service Pack 1 (http://go.microsoft.com/fwlink/?linkid=204840) Note: It is recommended that you install the SQL Server cumulative update prior to installing Forefront Endpoint Protection. If the SQL Server cumulative update is installed after Forefront Endpoint Protection was installed, you will need to run a repair on the Microsoft Forefront Endpoint Protection 2010 Reporting component. Release Notes

Page number 9 Managing the Customer Experience Improvement Program setting on the Forefront Endpoint Protection server After installing Forefront Endpoint Protection you cannot change your membership in the Customer Experience Improvement Program (CEIP) through the user interface. To manually configure the CEIP setting, modify the following registry key on the Forefront Endpoint Protection server: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Forefront\Forefront Endpoint Protection 2010\config\SqmEnabled Setting the registry key to 1 joins the CEIP. Setting the registry key to 0 removes membership in the CEIP. For the change to take effect you need to restart the computer. Microsoft Forefront Endpoint Protection 2010 Client Software Managing the Customer Experience Improvement Program setting on Forefront Endpoint Protection clients Forefront Endpoint Protection clients automatically join the Customer Experience Improvement Program (CEIP). Users can modify this setting; however, the administrator cannot control the CEIP setting via a Forefront Endpoint Protection policy created in the Configuration Manager console. To configure the CEIP setting, create the following registry key on the Forefront Endpoint Protection client computer: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Microsoft AntiMalware\Miscellaneous Configuration\SqmConsentApprove Setting the registry key to 1 joins the CEIP (default). Setting the registry key to 0 removes membership in the CEIP. After the registry key has been created, the user can no longer change this setting from the Forefront Endpoint Protection client. For the change to take effect you need to restart the computer. Operating system upgrade After the operating system on a client computer is upgraded, the Forefront Endpoint Protection client software no longer functions as expected. To avoid this, you must uninstall the Forefront Endpoint Protection client software before running the operating system upgrade. This applies to the following operating system upgrade paths: Windows XP to Windows Vista Windows Vista to Windows Vista SP1, Windows Vista SP2, or Windows 7 Release Notes

Page number 10 Custom scan on virtual drives in Windows XP On computers running Windows XP, malware residing on a virtual drive is not be detected during a custom scan of the virtual drive. A virtual drive is created by applications using Application Virtualization (App-V) technology, like Microsoft Office 2010. Quick scans and full scans properly detect the malware. Forefront Endpoint Protection does not uninstall Symantec on computers running x64 operating systems The Forefront Endpoint Protection client software does not uninstall the Symantec Antivirus Corporate Edition client on computers running a 64-bit operating system. On these computers, you need to manually uninstall Symantec software before deploying the Forefront Endpoint Protection client software. Forefront Endpoint Protection Client stops reporting malware activity when the System Event Log is full Client malware activity incidents are reported from the client to the Forefront Endpoint Protection server based on the entries in the System event log. If the System event log is full and no new events can be written, no new malware activity is reported to the Forefront Endpoint Protection server. It is recommended that you configure the properties of the System event log to overwrite events when needed, so that new events can be written and are not lost. 3. Overview Microsoft Forefront Endpoint Protection 2010 (FEP) is a security and antimalware solution integrated into System Center Configuration Manager 2007, and the Forefront Endpoint Protection Security Management Pack is a security and antimalware management solution for servers and critical, high-priority computers, integrated into System Center Operations Manager 2007. Together, they are a software solution that provides security and antimalware management for desktops, portable computers, and servers. Together they provide a lower total cost-of-ownership enterprise solution that enables desktop administrators in your organization to add security management to their day-to-day operations, within a familiar framework and without requiring specialized security knowledge. FEP and the FEP Security Management Pack leverage the familiar administrative experience of managing and monitoring endpoints. They improve visibility for identifying and remediating potentially vulnerable endpoints while lowering ownership costs by using existing infrastructure for both endpoint management and security. The FEP client software deploys effortlessly to hundreds of thousands of endpoints by using existing System Center Configuration Manager agents, and provides highly accurate detection of known and unknown threats, as well as actively protecting against network-level attacks by managing basic Windows Firewall configurations. FEP and the FEP Security Management Pack provide the following features: Overview

Page number 11 Integration with your existing system management infrastructure Proven antimalware engine Reporting functionality In FEP, policy-based antimalware management In FEP, Firewall management Seamless migration from previous antivirus solutions Why Use Forefront Endpoint Protection Forefront Endpoint Protection and the FEP Security Management Pack provide seamless integration with the management products you use on a daily basis. The key benefits are described below. Easy to Deploy Forefront Endpoint Protection makes it easy for desktop administrators to roll out a large-scale endpoint protection solution to all user desktops and portable computers, while the FEP Security Management Pack makes it simple to roll out real-time alerting and reporting for servers and critical, high-priority client computers. FEP comes complete with policy templates, for both recommended client configurations and typical server workloads, which are ready to use right out-of-the box, taking the guesswork out of security management. While no advanced customization is required, it is easy to customize policies to meet the needs of your organization. Forefront Endpoint Protection supports deployments that are built on the familiar System Center Configuration Manager software distribution infrastructure, while the FEP Security Management Pack, built on System Center Operations Manager, supports servers and critical high-priority client computers. Using Forefront Endpoint Protection, you can deploy the client Across various topologies to support non-domain-joined computers, endpoints at different branch offices, in addition to unmanaged (stand-alone) clients. To seamlessly upgrade or replace previously installed security solutions. On various Windows operating systems. Easy to Manage Forefront Endpoint Protection and the FEP Security Management Pack offer both the desktop administrator and the server administrator a streamlined security management experience. Built on the familiar System Center interfaces, it gives administrators simplified access to the information and tools they need in order to keep their enterprise secure and running, including the following: In FEP, policy-based administration Remediation capabilities including scanning and updating definitions on client computers Overview

Page number 12 Current and historical reporting that enables administrators to answer critical security questions, such as: What percentage of computers are currently protected? Is antivirus software installed and turned on? Are the latest definitions installed? What malware was detected in the organization? What computers currently have malware activity? How can I improve my organizational security? Forefront Endpoint Protection is built on System Center Configuration Manager, and the FEP Security Management Pack is built on System Center Operations Manager. Unified Protection Forefront Endpoint Protection delivers a single-agent, multithreat protection for desktops, portable computers, and the FEP Security Management Pack provides management of servers and critical high-priority client computers. Backed by a world-class response center and a dedicated community (Microsoft SpyNet ) serving millions of users, the FEP client includes: Antimalware and antispyware Rootkit detection and remediation Critical vulnerability assessment and automatic updates Integrated Windows Firewall management Network Inspection System The FEP client helps users stay secure and productive both at work and on the go with a lightweight, easy-to-use interface. It is built on the same antimalware engine as Microsoft Security Essentials (MSE), which has been delighting millions of consumers with low false positives and high catch rates. Whenever possible, the FEP client automatically solves security issues as they occur without disturbing users, so users can stay safe and continue with their work without contacting their desktop administrators. Decision Considerations for FEP and the FEP Security Management Pack Both FEP and the FEP Security Management Pack provide best-of-breed security protection for desktops, portable computers, and servers. You can implement either FEP or the FEP Security Management Pack, or you can implement both to take advantage of the features of each. Choosing when to implement each requires that you evaluate your security needs. Consider the questions in the following table. Overview

Page number 13 If Then You are already using System Center Configuration Manager to manage your enterprise You can easily implement Forefront Endpoint Protection to integrate security into your computer management solution. You are using System Center Operations Manager to manage your data center You can implement the FEP Security Management Pack to monitor your servers and critical high-priority computers. You need real-time reporting and monitoring for any of your computers or servers The FEP Security Management Pack can provide realtime monitoring and alerting for the servers (and highpriority client computers) you designate. You are using the Desired Configuration Management (DCM) feature in Configuration Manager Forefront Endpoint Protection provides additional DCM checks that allow you to report on the status of security areas within your Configuration Manager environment. You are managing any branch offices or non-domain-joined clients Configuration Manager supports both of these scenarios, and Forefront Endpoint Protection, built on Configuration Manager, can take full advantage of this support. The desktop administrators in your organization are responsible for desktop security If you have implemented Configuration Manager for desktop administration, your desktop administrators can work within the familiar interface of Configuration Manager. You need historical reporting for malware events Both Forefront Endpoint Protection and the FEP Security Management Pack are an option for you. Both maintain a historical record of malware information in your organization. Overview

Page number 14 4. Dashboard Overview The Forefront Endpoint Protection dashboard provides key information for tracking the status of client software deployments, antimalware activity, definition updates, policy distributions, and client software compliance. The dashboard contains several summary areas displayed on a single page, and works by querying the Configuration Manager Site database, and using the resulting data sets to present key metrics in a graphical format. The Forefront Endpoint Protection dashboard is located in the Configuration Manager console, in the following path in the tree: Site Database / Computer Management / Forefront Endpoint Protection The following table describes the summary areas displayed in the Forefront Endpoint Protection dashboard: Summary area Description Client Deployment Status This area displays the following information: The number of computers in your organization to which the client software was not targeted. The number of computers in your organization to which the client software is targeted. The set of computers to which the client software is targeted is divided into the following deployment states: Removed Failed Pending Out of date Deployed Protection Status This area displays the reporting status for the FEP client software. There are three possible status values: Protection service off The number of computers on which the FEP antimalware service is turned off. Not reporting The number of computers to which the FEP client has Dashboard Overview

Page number 15 been deployed, but have not sent a status report back to the Configuration Manager server in the past 14 days. Healthy The number of computers running the FEP client software and have sent a status report back to the Configuration Manager server in the past 14 days. Security Status This area displays information about malware activity in your organization. The possible states of the FEP client software are as follows: Infected The number of computers on which the FEP client software has detected active malware. Restart required The number of computers running the FEP client software that require a restart in order to complete malware cleaning. Full scan required The number of computers running the FEP client software that require a full scan. Recent malware activity (Last 24 hours) The number of computers on which the FEP client software detected and cleaned malware within the last 24 hours. Definition Status This area displays information about the age of the FEP antimalware definitions on the client computers. Computers are listed according to the age category into which the definitions fall. The following is a list of possible categories: Older than 1 week The number of client computers with definitions more than 1 week old. Up to 7 days old The number of client computers with definitions up to 1 week old. Up to 3 days old The number of client computers with definitions up to 3 days old. Up to date The number of client computers with up-to-date definitions. Data for this dashboard area is collected by Configuration Manager Desired Configuration Manager (DCM) baselines. For more information about DCM baselines and Forefront Endpoint Protection, see Using Desired Configuration Management to Monitor Client Compliance. Dashboard Overview

Page number 16 Policy Distribution Status This area displays information about the possible policy distribution states for the FEP client software. The following is a list of the possible states: Failed The number of computers to which a policy could not be deployed. Pending The number of computers to which a policy is in the process of being deployed. Distributed The number of computers to which a policy was successfully deployed. Forefront Endpoint Protection Baselines This area displays summary status information for FEP client compliance with FEP configuration baselines. For more information, see Using Desired Configuration Management to Monitor Client Compliance. 5. Reports Overview Reporting in Forefront Endpoint Protection is integrated into the Configuration Manager console. The information is gathered using the standard Configuration Manager data collection mechanism and is stored in the Forefront Endpoint Protection reporting database. Since this information is gathered at scheduled intervals, reports may not reflect the most recent information. Forefront Endpoint Protection presents the information gathered in the reporting database in summary and detailed reports, and contain links that can be clicked to view the related reports. There are several predefined reports located under the Forefront Endpoint Protection Reports node and under the standard Configuration Manager Reporting node. Reports broadly divide into security reports and operational reports respectively. The following table is a list of the available reports. Report name Description Type Antimalware Activity Report This report provides an overview of antimalware status, malware alerts, and malware detections. Security Antimalware Protection Summary Report This report provides an overview of antimalware deployment and health. Security Reports Overview

Page number 17 Malware Details Report This report displays further details about a specific malware. Security Computer List Report This report displays a list of computers that can be filtered by collection, name, protection status, security state, antimalware signature version, detected malware, and last antimalware scan time. Security Computer Details Report This report displays further details about a specific computer. Security Deployment Overview This report displays the breakdown of the Microsoft Forefront Endpoint Protection 2010 client deployment status per collection. Operational Deployment for a specific collection This report displays the breakdown of the Microsoft Forefront Endpoint Protection 2010 client deployment status for a specific collection. Operational Computers with a specific deployment state This report displays a list of computers in a collection and the specific deployment state. Operational Policy Distribution Overview This report displays the breakdown of policy distribution states per collection. The report will only enumerate computers with Microsoft Forefront Endpoint Protection 2010 deployed. Operational Policy Distribution for a specific collection This report displays the policy distribution states for a specific collection. Operational Computers with a specific policy distribution state This report displays a list of computers in a collection and the specific policy state. Operational FEP information for a specific computer This report displays a summary of Forefront Endpoint Protection information for a specific computer. Operational Reports Overview

Page number 18 6. System Requirements To get started with Microsoft Forefront Endpoint Protection 2010, your computers must meet the minimum requirements for installing the Forefront Endpoint Protection server and deploying the Forefront Endpoint Protection client. Use the following topics to help you prepare the computers in your environment: Prerequisites for Installing Forefront Endpoint Protection on a Server Prerequisites for Deploying Forefront Endpoint Protection on a Client Prerequisites for Importing the Forefront Endpoint Protection Security Management Pack Prerequisites for Installing Forefront Endpoint Protection on a Server The Forefront Endpoint Protection Setup wizard includes a prerequisites verification that checks that the prerequisites are already installed before you continue with the installation. If the prerequisites verification check identifies missing prerequisites, the check points you to locations where you can download and install the required components. Forefront Endpoint Protection Server Prerequisites The following table is the list of minimum requirements for installing the Forefront Endpoint Protection server. Prerequi site Minimum requirements Notes Memory 2 GB of RAM Available disk space Forefront Endpoint Protection server: 600 MB Forefront Endpoint Protection database: 1.25 GB Forefront Endpoint Protection reporting database: 1.25 GB For large scale deployments comprised of more than 10,000 client computers, on the computer running Microsoft SQL Server where the Forefront Endpoint Protection reporting database resides, the tempdb must be configured with a 500 GB Logical Unit Number (LUN) for its data file. For more information about configuring the tempdb data file, see Optimizing tempdb Performance (http://go.microsoft.com/fwlink/?linkid=206862). Operatin g system Windows Server 2003 Standard, Enterprise, or Datacenter Edition Service Pack 2 (x86 or x64), or Windows Server 2008 System Requirements

Page number 19 Standard, Enterprise, or Datacenter Service Pack 1 (x86 or x64), or Windows Server 2008 R2 Standard, Enterprise, or Datacenter (x64) Databas e servers Microsoft SQL Server 2005 Standard or Enterprise Edition Service Pack 3 (x86 or x64), or Microsoft SQL Server 2008 Standard or Enterprise (x86 or x64), or Microsoft SQL Server 2008 R2 Standard or Enterprise (x86 or x64) When using an RTM release of SQL Server 2008, make sure that the default instance is defined. If the default instance is not defined, reporting and alerting does not function, because data cannot flow up to the Configuration Manager site server. Verify that all computers that are running SQL Server are joined to the domain, that the user account running Setup is a member of sysadmin SQL server role, and that all SQL Server services are running. Additionally, in nonclustered SQL Server environments, the SQL Server services should be configured to start automatically. The user account running Setup will be set as the owner of the following SQL Server databases and jobs: FEPDB_XXX (database) FEPDW_XXX (database) FEP_DataWarehouseMaintenance _FEPDW_XXX (job) FEP_DB_Maintenance_FEPDB_XX X (job) FEP_GetNewData_FEPDW_XXX (job) FEP_GetNewDataOnInstall_FEPD W_XXX (job) System Requirements

Page number 20 Addition al require ments for installing Forefron t Endpoint Protecti on reportin g database SQL Server Analysis Services SQL Server Integration Services SQL Server Reporting Services SQL Server Agent For SQL Server Analysis Services, the user account running Setup, or a domain group that it is a member of, must belong to the server administrator role on your specified SQL Server Analysis Server. For more information, see Analysis Server Properties Dialog Box (http://go.microsoft.com/fwlink/?linkid= 204204). The Forefront Endpoint Protection reporting database and server running SQL Server Analysis Services must be installed on the same SQL Server instance. On the computer that is running SQL Server Analysis Services, the following ports must be open for incoming traffic: SQL Server (TCP 1433) SQL Server Analysis Services (TCP 2383) For more information, see Configuring the Windows Firewall to Allow SQL Server Access (http://go.microsoft.com/fwlink/?linkid=128365). For Forefront Endpoint Protection reporting to function, you must make sure that the Forefront Endpoint Protection client that is installed as part of Forefront Endpoint Protection has access to definition updates via the Configuration Manager client agent, Windows Server Update Services, or Microsoft Update. Addition al require ments for installing Forefron t The name you entered in the SQL Network Name box for your SQL Server cluster must be registered in the domain. SQL Server Integration Services must be installed System Requirements

Page number 21 Endpoint Protecti on reportin g database on a SQL Server cluster on all nodes and must be part of the cluster group. Configur ation Manager Microsoft System Center Configuration Manager 2007 Service Pack 2 installed with default roles, and either Microsoft System Center Configuration Manager 2007 R2 installed and configured to use SQL Server Reporting Services, or Microsoft System Center Configuration Manager 2007 R3 installed and configured to use SQL Server Reporting Services The following client agents are installed and configured: Hardware Inventory Software Distribution System Requirements

Page number 22 Desired Configuration Management Addition al require ments No other version of Forefront Endpoint Protection is installed Microsoft Windows Installer version 3.1 Microsoft.Net Framework 3.5 Service Pack 1 Configuration Manager Hotfix KB2271736 (http://go.microsoft.com/f wlink/?linkid=203936) SQL Server Analysis Management Objects The computer where Setup is run is not pending a restart from a previous install or update The user account running Setup is a domain account for the domain of which the Forefront Endpoint Protection server is a member, has local administrative credentials, and has Configuration Manager administrative credentials You must install SQL Server Analysis Management Objects on the computer where Setup is run when the Forefront Endpoint Protection reporting database is being installed on a remote computer. You can download the SQL Server Analysis Management Objects for your version of SQL Server from the following locations: For SQL Server 2008 R2, visit Microsoft SQL Server 2008 R2 Feature Pack (http://go.microsoft.com/fwlink/? LinkId=206861), go to the Microsoft SQL Server 2008 R2 Analysis Management Objects section, and download the appropriate file based on your system architecture. For SQL Server 2008, visit Microsoft SQL Server 2008 Feature Pack (http://go.microsoft.com/fwlink/? LinkId=206625), go to the Microsoft Analysis Management Objects section, and download the appropriate file based on your system architecture. For SQL Server 2005, visit Feature Pack for Microsoft SQL Server 2005 (http://go.microsoft.com/fwlink/? LinkId=206624), go to the Microsoft SQL Server 2005 Management Objects Collection section, and download the appropriate file based on your System Requirements

Page number 23 system architecture. Forefront Endpoint Protection Console Prerequisites The following table is the list of minimum requirements for installing the Forefront Endpoint Protection console. Prerequisite Minimum requirements Configuration Manager Microsoft System Center Configuration Manager 2007 Service Pack 2 Console, or Microsoft System Center Configuration Manager 2007 R2, or Microsoft System Center Configuration Manager 2007 R3 Additional requirements Microsoft.Net Framework 3.5 Service Pack 1 Configuration Manager Hotfix KB2271736 (http://go.microsoft.com/fwlink/?linkid=203936) The computer running Setup is not pending a restart from a previous install or update The user account running Setup is a domain account for the domain of which the Forefront Endpoint Protection server is a member, has local administrative credentials, and has Configuration Manager administrative credentials Prerequisites for Deploying Forefront Endpoint Protection on a Client The following table is a list of the prerequisites for deploying the Forefront Endpoint Protection on client computers. Prerequisite Requirement Configuration Manager A Microsoft System Center Configuration Manager 2007 site that has Forefront Endpoint Protection server installed. Note: If you have client computers that do not require the central deployment and management features of Forefront Endpoint Protection server, and you System Requirements

Page number 24 intend to manually install the Forefront Endpoint Protection client, the Configuration Manager prerequisites stated for client computers are not required. For more information, see Deploying the Client Software by Using the Command Prompt. Operating system Windows 7 (x86 or x64), or Windows 7 XP mode, or Windows Vista (x86 or x64) or later versions, or Windows XP Service Pack 2 (x86 or x64) or later versions, or Windows Server 2008 R2 (x64) or later versions, or Windows Server 2008 R2 Server Core (x64), or Windows Server 2008 (x86 or x64) or later versions, or Windows Server 2003 Service Pack 2 (x86 or x64) or later versions, or Windows Server 2003 R2 (x86 or x64) or later versions Note: On the following operating systems, the Forefront Endpoint Protection client software can be installed manually. However, policies cannot be applied to them, nor can they be centrally managed by Forefront Endpoint Protection. Windows 7 Starter Windows 7 Home Premium Windows Vista Basic Windows Vista Home Premium Windows XP Home Edition Available disk space 255 MB Additional Windows Installer 3.1 or later versions System Requirements

Page number 25 requirements Filter manager rollup package for Windows XP Service Pack 2 (x86) KB914882 (http://go.microsoft.com/fwlink/?linkid=207000) Competitive uninstall The client installation checks for and uninstalls the following existing antimalware clients: Symantec Endpoint Protection version 11 Symantec Corporate Edition version 10 McAfee VirusScan Enterprise version 8.5 and version 8.7 and its agent Forefront Client Security version 1 and the Operations Manager agent TrendMicro OfficeScan version 8 and version 10 Prerequisites for Importing the Forefront Endpoint Protection Security Management Pack The following table lists the minimum requirements for importing the Forefront Endpoint Protection Security Management Pack. Prerequisite Minimum requirement System Center Operations Manager 2007 System Center Operations Manager 2007 R2 The following table lists the minimum requirements for the Reporting management pack for use with the Forefront Endpoint Protection Security Management Pack. Prerequisite Minimum requirement Reporting components Reporting components must be installed for System Center Operations Manager 2007 R2 in order to use the Reporting feature. 7. Getting Started Before deploying Microsoft Forefront Endpoint Protection 2010, you should read the documentation carefully and plan your deployment according to your business needs. If planned correctly, Forefront Endpoint Protection can reduce your administrative overhead and total cost of ownership. If Forefront Endpoint Protection is deployed without sufficient planning you can disrupt your whole Getting Started

Page number 26 network, because Forefront Endpoint Protection has the potential to affect every computer in your organization. Because Forefront Endpoint Protection is built on System Center Configuration Manager, you should be familiar with Configuration Manager before you deploy Forefront Endpoint Protection. For more information, see System Center Configuration Manager 2007 (http://go.microsoft.com/fwlink/?linkid=111469). Because the FEP Security Management Pack is built on System Center Operations Manager, you should be familiar with Operations Manager before deploying the FEP Security Management Pack. For more information, see System Center Operations Manager R2 (http://go.microsoft.com/fwlink/?linkid=205692). Note: If you are new to Forefront Endpoint Protection, you should experiment in a test network environment before you deploy the product. Next Steps Plan the Forefront Endpoint Protection installation. For more information, see Planning and Architecture. Install Forefront Endpoint Protection on your Configuration Manager Site server. For more information, see FEP 2010. Import the FEP Security Management Pack on your Operations Manager server. For more information, see FEP 2010 Security Management Pack. Deploy Forefront Endpoint Protection policies and clients. For more information, see Client Deployment. Learn about routine operations. For more information, see Operations. Getting Assistance The Forefront Endpoint Protection online help and assistance options are available to you when you're planning, deploying, administering, and troubleshooting Forefront Endpoint Protection. Where to find Forefront Endpoint Protection Help and Assistance: Forefront Endpoint Protection TechNet Library (http://go.microsoft.com/fwlink/?linkid=188968). The FEP TechNet library contains the most up-to-date product documentation. This documentation is updated as Forefront Endpoint Protection features evolve and new troubleshooting information becomes available. Forefront Endpoint Security Blog (http://go.microsoft.com/fwlink/?linkid=196676). The Forefront Endpoint Security blog contains technical articles written by the Forefront Endpoint Protection team, in addition to product announcements and updates. Getting Started

Page number 27 Forefront Endpoint Protection Forum (http://go.microsoft.com/fwlink/?linkid=196677). The forum provides a place to discuss Forefront Endpoint Protection with customers and Forefront Endpoint Protection team members. The Forefront Endpoint Protection forum is an excellent way to interact with the Forefront Endpoint Protection team and with other customers worldwide. The Forefront Endpoint Protection section of the TechNet Wiki (http://go.microsoft.com/fwlink/?linkid=196679). The TechNet Wiki contains communitygenerated content about various Microsoft products, including Forefront Endpoint Protection. Through the use of the TechNet Wiki, you can share your knowledge and experience with other members of the community. Providing Feedback Your feedback about Microsoft Forefront Endpoint Protection 2010 will be greatly appreciated and will help Microsoft improve Forefront Endpoint Protection. Please submit all feedback to the Forefront Endpoint Protection Forum (http://go.microsoft.com/fwlink/?linkid=188968). 8. Planning and Architecture The content in this section is designed to help you plan your Microsoft Forefront Endpoint Protection 2010 installation and the infrastructure required to support it. Before you install Forefront Endpoint Protection, it is recommended that you review the following sections: Planning Your Deployment Migrating from Forefront Client Security to Forefront Endpoint Protection Forefront Endpoint Protection 2010 Forefront Endpoint Protection easily installs into your existing Configuration Manager 2007 deployment. The Forefront Endpoint Protection server installation process automatically installs the required components to the correct servers based upon the Configuration Manager deployment. The following is a list of items that are installed during Forefront Endpoint Protection Setup. Installation item Description Forefront Endpoint Protection Site Server Extensions for Configuration Manager The Forefront Endpoint Protection Site server extensions for Configuration Manager. Forefront Endpoint Protection Console Extensions for The Forefront Endpoint Protection extensions to the Configuration Manager management console add views to Planning and Architecture

Page number 28 Configuration Manager manage and monitor Forefront Endpoint Protection client deployments. Forefront Endpoint Protection Database An auxiliary database used by Forefront Endpoint Protection. Forefront Endpoint Protection Reporting role Provides historical reports on Forefront Endpoint Protection client malware activity and client protection status. Forefront Endpoint Protection Reporting database The database for storing Forefront Endpoint Protection client protection status and malware activity historical data. Forefront Endpoint Protection Security Client The Forefront Endpoint Protection client is installed for access to antimalware metadata. The following items are installed during the installation of Forefront Endpoint Protection Site Server Extensions for Configuration Manager: The FEP Deployment package. The FEP Policies package. The FEP Operations package. Forefront Endpoint Protection Operations tasks are added to the Configuration Manager right-click context menu, and the Actions pane for a computer objects. Forefront Endpoint Protection desired configuration management configuration baselines and configuration items. Forefront Endpoint Protection related collections. Forefront Endpoint Protection client deployment and policy distribution reports are added to Configuration Manager reporting. Forefront Endpoint Protection and High Availability Forefront Endpoint Protection is installed on top of Configuration Manager and is dependent on the availability of the Configuration Manager services. The following items are Forefront Endpoint Protection server deployment recommendations for high availability: Use clustered SQL Server for the Forefront Endpoint Protection reporting database. Use the System Center Operations Manager Forefront Endpoint Protection Monitoring Management Pack to monitor Forefront Endpoint Protection services. Planning and Architecture

Page number 29 About Configuration Manager Site Topologies and FEP 2010 Forefront Endpoint Protection can be deployed to a Configuration Manager stand-alone (single) site or to a hierarchical site environment. Installation of Forefront Endpoint Protection on secondary sites is not supported. For more information about Configuration Manager sites, see Understanding Configuration Manager Sites (http://go.microsoft.com/fwlink/?linkid=196956). Single-Site Deployment In a single-site Configuration Manager deployment, Forefront Endpoint Protection is installed on the Configuration Manager site server. The Configuration Manager administrator will perform the following tasks from the Configuration Manager console: Create or modify Forefront Endpoint Protection policies. Assign Forefront Endpoint Protection policies to collections. Deploy Forefront Endpoint Protection clients to collections. Monitor Forefront Endpoint Protection via the Forefront Endpoint Protection dashboard. Configure Forefront Endpoint Protection alerts. Assign the Forefront Endpoint Protection Desired Configuration Management baselines to collections. Hierarchical Deployment In a hierarchical Configuration Manager deployment, there is a parent site that has one or more sites (children) attached to it in the hierarchy. A parent site contains pertinent information about its lower-level sites and it can control many operations at the child sites. A site that has no parent site is known as a central site. For more information about planning and deploying Configuration Manager, see Planning and Deploying the Server Infrastructure for Configuration Manager 2007 ( http://go.microsoft.com/fwlink/?linkid=196960). Forefront Endpoint Protection can be installed in the following combinations: Parent and child sites Parent site Child sites The administrative control requirements will determine where Forefront Endpoint Protection should be installed: For centralized policy creation and control, install Forefront Endpoint Protection on the parent site. When Forefront Endpoint Protection is also installed on the child sites, policies are replicated from the parent site to the child sites. Installing Forefront Endpoint Protection on the child sites allows the administrator to view the FEP dashboard when connected to the child site via the Configuration Manager console. Planning and Architecture