Swedish Windows Security User Group

Microsoft’s own Kevin McKinnerney just published a new test lab guide on FEP 2010. This Test Lab Guide (TLG) extends the Base Configuration and System Center Configuration Manager 2007 test lab to include Forefront Endpoint Protection 2010. It includes both instructions for installing Forefront Endpoint Protection 2010 Server on a ConfigMgr 2007 server and distributing the Forefront Endpoint Protection 2010 Client.

This paper contains instructions for setting up a test lab based on the Microsoft Forefront Endpoint Protection 2010 Test Lab Guide and deploying Microsoft Forefront Endpoint Protection 2010 using one server computer and one client computer. The resulting Microsoft Forefront Endpoint Protection 2010 test lab demonstrates simple Forefront Endpoint Protection 2010 functionality.

For all the details and a download link please see the following:

Test Lab Guide: Forefront Endpoint Protection 2010 (http://www.microsoft.com/en-us/download/details.aspx?id=30396)

J.C. Hornbeck | System Center & Security Knowledge Engineer

Get the latest System Center news on Facebook and Twitter:

App-V Team blog: http://blogs.technet.com/appv/
ConfigMgr Support Team blog: http://blogs.technet.com/configurationmgr/
DPM Team blog: http://blogs.technet.com/dpm/
MED-V Team blog: http://blogs.technet.com/medv/
Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/
Operations Manager Team blog: http://blogs.technet.com/momteam/
SCVMM Team blog: http://blogs.technet.com/scvmm
Server App-V Team blog: http://blogs.technet.com/b/serverappv
Service Manager Team blog: http://blogs.technet.com/b/servicemanager
System Center Essentials Team blog: http://blogs.technet.com/b/systemcenteressentials
WSUS Support Team blog: http://blogs.technet.com/sus/

The Forefront Server Protection blog: http://blogs.technet.com/b/fss/
The Forefront Endpoint Security blog : http://blogs.technet.com/b/clientsecurity/
The Forefront Identity Manager blog : http://blogs.msdn.com/b/ms-identity-support/
The Forefront TMG blog: http://blogs.technet.com/b/isablog/
The Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/

Microsoft’s own Kevin McKinnerney just published a new test lab guide on FEP 2010. This Test Lab Guide (TLG) extends the Base Configuration and System Center Configuration Manager 2007 test lab to include Forefront Endpoint Protection 2010. It includes both instructions for installing Forefront Endpoint Protection 2010 Server on a ConfigMgr 2007 server and distributing the Forefront Endpoint Protection 2010 Client.

This paper contains instructions for setting up a test lab based on the Microsoft Forefront Endpoint Protection 2010 Test Lab Guide and deploying Microsoft Forefront Endpoint Protection 2010 using one server computer and one client computer. The resulting Microsoft Forefront Endpoint Protection 2010 test lab demonstrates simple Forefront Endpoint Protection 2010 functionality.

For all the details and a download link please see the following:

Test Lab Guide: Forefront Endpoint Protection 2010 (http://www.microsoft.com/en-us/download/details.aspx?id=30396)

J.C. Hornbeck | System Center & Security Knowledge Engineer

Get the latest System Center news on Facebook and Twitter:

App-V Team blog: http://blogs.technet.com/appv/
ConfigMgr Support Team blog: http://blogs.technet.com/configurationmgr/
DPM Team blog: http://blogs.technet.com/dpm/
MED-V Team blog: http://blogs.technet.com/medv/
Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/
Operations Manager Team blog: http://blogs.technet.com/momteam/
SCVMM Team blog: http://blogs.technet.com/scvmm
Server App-V Team blog: http://blogs.technet.com/b/serverappv
Service Manager Team blog: http://blogs.technet.com/b/servicemanager
System Center Essentials Team blog: http://blogs.technet.com/b/systemcenteressentials
WSUS Support Team blog: http://blogs.technet.com/sus/

The Forefront Server Protection blog: http://blogs.technet.com/b/fss/
The Forefront Endpoint Security blog : http://blogs.technet.com/b/clientsecurity/
The Forefront Identity Manager blog : http://blogs.msdn.com/b/ms-identity-support/
The Forefront TMG blog: http://blogs.technet.com/b/isablog/
The Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/

Forefront Endpoint Protection 2010 now supports upgrading an existing Forefront Endpoint Protection database and reporting database to Microsoft SQL Server 2012.

To use SQL Server 2012 with Forefront Endpoint Protection 2010, you must upgrade the existing instance of SQL Server from SQL Server 2008 or SQL Server 2008 R2.  It is not supported to install new Forefront Endpoint Protection components on an existing or new instance of SQL Server 2012.

Before you can use Forefront Endpoint Protection 2010 with Microsoft SQL Server 2012, you must install the following update on the server running Forefront Endpoint Protection.

Forefront Endpoint Protection data warehouse and reports fail to get new data on SQL Server 2012 – http://support.microsoft.com/kb/2683558

J.C. Hornbeck | System Center & Security Knowledge Engineer

Get the latest System Center news on Facebook and Twitter:

App-V Team blog: http://blogs.technet.com/appv/
ConfigMgr Support Team blog: http://blogs.technet.com/configurationmgr/
DPM Team blog: http://blogs.technet.com/dpm/
MED-V Team blog: http://blogs.technet.com/medv/
Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/
Operations Manager Team blog: http://blogs.technet.com/momteam/
SCVMM Team blog: http://blogs.technet.com/scvmm
Server App-V Team blog: http://blogs.technet.com/b/serverappv
Service Manager Team blog: http://blogs.technet.com/b/servicemanager
System Center Essentials Team blog: http://blogs.technet.com/b/systemcenteressentials
WSUS Support Team blog: http://blogs.technet.com/sus/

The Forefront Server Protection blog: http://blogs.technet.com/b/fss/
The Forefront Endpoint Security blog : http://blogs.technet.com/b/clientsecurity/
The Forefront Identity Manager blog : http://blogs.msdn.com/b/ms-identity-support/
The Forefront TMG blog: http://blogs.technet.com/b/isablog/
The Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/

Hi everyone, Peter Gallagher here and I wanted to talk about one of the new features in System Center 2012 Configuration Manager (ConfigMgr). The feature is the ability to automatically deploy software updates to clients and it can be utilized to automatically deploy Forefront Endpoint Protection 2010 antimalware definition updates to ConfigMgr clients. For more information on deploying Forefront Endpoint Protection 2010 with Configuration Manager as well as how to create an Automatic Deployment Rule for Forefront Endpoint Protection 2010 antimalware definition updates, please see the following: http://technet.microsoft.com/en-us/library/hh508770.aspx.

The issue I wanted to talk about was one where after following http://technet.microsoft.com/en-us/library/hh508770.aspx, antimalware definition updates may not be automatically deployed to clients as expected.

When this occurs, per the UpdatesDeployment.log and WindowsUpdate.log on the client, other software updates may be deployed successfully, but examining the UpdatesDeployment.log on the client shows that the client is not detecting Forefront Endpoint Protection 2010 as a product. The only indication of an error or problem will be the status of Forefront Endpoint Protection 2010 antimalware definition updates in the Windows Security Center on the client or the Configuration Manager console.

This issue can occur if the product “Forefront Endpoint Protection 2010” is not selected on the Software Update Point Component in Configuration Manager. An Automatic Deployment Rule in System Center 2012 Configuration Manager DOES NOT verify that the corresponding products or classifications that are selected are also selected on the Software Update Point itself.

To resolve this issue perform the following:

1. On the Central Administration Server (CAS), navigate to Administration\Overview\Site Configuration\Sites.

2. In the results pane on the right, highlight the servername that has the type of “CAS”. If you have a single server install, highlight the server listed.

3. In the ribbon at the top, click Configure Site Components and in the dropdown select Software Update Point.

4. Select the Products tab and then place a check next to Forefront Endpoint Protection 2010.

5. Review the Languages/Classifications tabs to ensure that the items selected in the Automatic Deployment Rules are also selected on the properties of the Software Update Point. Click OK when complete. There is no need to manually initiate a synchronization as Configuration Manager will detect a change (step 4 above) and automatically start a synchronization.

Note that this example is specific to Forefront Endpoint Protection 2010 antimalware definition updates, however the process applies to any Automatic Deployment Rule in System Center 2012 Configuration Manager. If a product/classification is selected in an Automatic Deployment Rule, the corresponding product/classification must be selected in the Software Update Point configuration screen.

Peter Gallagher | System Center Support Engineer

Get the latest System Center news on Facebook and Twitter:

App-V Team blog: http://blogs.technet.com/appv/
ConfigMgr Support Team blog: http://blogs.technet.com/configurationmgr/
DPM Team blog: http://blogs.technet.com/dpm/
MED-V Team blog: http://blogs.technet.com/medv/
Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/
Operations Manager Team blog: http://blogs.technet.com/momteam/
SCVMM Team blog: http://blogs.technet.com/scvmm
Server App-V Team blog: http://blogs.technet.com/b/serverappv
Service Manager Team blog: http://blogs.technet.com/b/servicemanager
System Center Essentials Team blog: http://blogs.technet.com/b/systemcenteressentials
WSUS Support Team blog: http://blogs.technet.com/sus/

The Forefront Server Protection blog: http://blogs.technet.com/b/fss/
The Forefront Endpoint Security blog : http://blogs.technet.com/b/clientsecurity/
The Forefront Identity Manager blog : http://blogs.msdn.com/b/ms-identity-support/
The Forefront TMG blog: http://blogs.technet.com/b/isablog/
The Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/

 By Adwait Joshi

Hello,

An Update Rollup for Forefront Endpoint Protection 2010 is now available here: http://go.microsoft.com/fwlink/?LinkId=223229 .

 In addition to hotfixes, this Update also includes some important changes to note:

1. Support for Windows Embedded 7 platforms:  With this update, the FEP client software is supported on certain Windows Embedded 7 platforms (including Windows Thin PC) and Windows Server 2008 Server Core.  For more information about the additional support, see Prerequisites for Deploying Forefront Endpoint Protection on a Client Computer.
2. Signature Update Automation Tool used with Configuration Manager Software Update:  This tool automates downloading FEP definition updates using Configuration Manager 2007 Software Updates.  This is a command line tool that uses Configuration Manager APIs to get new definitions from Microsoft Update via the Configuration Manager software update feature, distribute the content to distribution points, and deploy the updates to Endpoint Protection clients on a recurring schedule.  The automation of the tool is done through the Windows task scheduler. To download the tool, see http://go.microsoft.com/fwlink/?LinkID=221205
3. Two new preconfigured policy templates for the following server workloads:
1. Microsoft Forefront Threat Management Gateway
2. Microsoft Lync 2010

You can find more details in the “What’s New” document on the  Technet site.  Please check out this KB article for a full list of fixes included in this Update Rollup.

Thanks,

Adwait Joshi

Sr. Technical Product Manager

Forefront Endpoint Protection

 By Adwait Joshi

Hello,

An Update Rollup for Forefront Endpoint Protection 2010 is now available here: http://go.microsoft.com/fwlink/?LinkId=223229 .

 In addition to hotfixes, this Update also includes some important changes to note:

1. Support for Windows Embedded 7 platforms:  With this update, the FEP client software is supported on certain Windows Embedded 7 platforms (including Windows Thin PC) and Windows Server 2008 Server Core.  For more information about the additional support, see Prerequisites for Deploying Forefront Endpoint Protection on a Client Computer.
2. Signature Update Automation Tool used with Configuration Manager Software Update:  This tool automates downloading FEP definition updates using Configuration Manager 2007 Software Updates.  This is a command line tool that uses Configuration Manager APIs to get new definitions from Microsoft Update via the Configuration Manager software update feature, distribute the content to distribution points, and deploy the updates to Endpoint Protection clients on a recurring schedule.  The automation of the tool is done through the Windows task scheduler. To download the tool, see http://go.microsoft.com/fwlink/?LinkID=221205
3. Two new preconfigured policy templates for the following server workloads:
1. Microsoft Forefront Threat Management Gateway
2. Microsoft Lync 2010

You can find more details in the “What’s New” document on the  Technet site.  Please check out this KB article for a full list of fixes included in this Update Rollup.

Thanks,

Adwait Joshi

Sr. Technical Product Manager

Forefront Endpoint Protection

From Angela Latimer, CSS

If you are using Forefront Endpoint Protection (FEP) 2010, you may have tried running one of the three default FEP reports and noticed that not all areas or sub-reports display properly. You may see an error in processing the reporting data or retrieving the data, similar to the error displayed below:

Error while trying to run the Antimalware Activity Report:

We found this error was due to the installed version of Microsoft SQL Server not being up-to-date with the latest Cumulative Update package. Cumulative Update packages contain hot fixes that address issues in the currently installed version of Microsoft SQL Server which may be versions ranging from Release to Manufacturing (RTM), Service Pack (SP), or Feature Release (R).

In digging into the details of the error related to FEP reports not displaying properly, we found the following errors in the System Center Configuration Manager Console and/or in the %drive%:\Program Files (x86)\Microsoft Configuration Manager\Logs\SRSRP.log file, reporting Error ID 7403 related to the health of SRS Reporting Point thread:

STATMSG: ID=7403 SEV=E LEV=M SOURCE=”SMS Server” COMP=”SMS_SRS_REPORTING_POINT” SYS= SITE= PID=2880 TID=5572 GMTDATE=Wed Oct 21 17:57:26.302 2009 ISTR0=”HACM01″ ISTR1=”” ISTR2=”” ISTR3=”” ISTR4=”” ISTR5=”” ISTR6=”” ISTR7=”” ISTR8=”” ISTR9=”” NUMATTRS=0 SMS_SRS_REPORTING_POINT 10/21/2009 10:57:26 AM 5572 (0x15C4)  
Failures reported during periodic health check by the SRS Server . Will retry check in 57 minutes SMS_SRS_REPORTING_POINT 10/21/2009 10:57:26 AM 5572 (0x15C4)

In the two environments we discovered this issue, Microsoft SQL Server 2008 and SQL Server 2008 R2 were running, but had NOT had the Cumulative Update package installed. As soon as this update was installed, the FEP reports began displaying properly.

At the time of this blog, these are the most current Cumulative Update Packages for Microsoft SQL Server 2008 and 2008 R2. However, you should do a Bing search to ensure you are always installing the latest version.

• For SQL Server 2008 R2: Cumulative Update Package 7 for SQL Server 2008 R2 – http://support.microsoft.com/kb/2507770
• For SQL Server 2008 SP2: Cumulative Update Package 4 for SQL Server 2008 SP2 – http://support.microsoft.com/kb/2527180
• For SQL Server 2008: Cumulative Update Package 4 for SQL Server 2008 – http://support.microsoft.com/kb/963036