Setup a collection, policy, and replace Forefront Client Security (FCS) with Forefront Endpoint Protection (FEP) using ConfigMgr

In this blog I’m going to setup a collection for domain controllers, create a FEP policy, apply that policy to the new collection, and replace FCS with FEP on a domain controller.

When you DCPromo a server to a domain controller by default it goes in the domain controllers OU.  Based off of that I’m going to create a ConfigMgr collection to look at objects in that OU.

screenshot.11

I’ll name my new collection domain controllers and give it a comment.

screenshot.13

For the criterion properties I’m going to get a list of values and choose System Resource – System OU Name as in “ADAM.LOCAL/DOMAIN CONTROLLERS”.

screenshot.14

Below is what the criteria will look like.

screenshot.15

If you want the query language it’s below.  Of course you’ll change the domain name for your domain.

screenshot.16

We want to update this collection on a schedule and we want it to dynamically add new resources.  You can’t expect someone to add a domain controller to the collection when they stand one up but this will guarantee it will be added to the collection as long as it’s in the proper OU.

screenshot.17

No advertisements yet.

screenshot.18

Defaults should be fine for most cases.

screenshot.19

Done.

screenshot.20

You’ll now see the only DC in my lab environment in the domain controllers collection.  If I add a second DC in the future based off the schedule and settings it should automatically go into the collection as long as it’s in the domain controllers OU.  By default it should be unless you have someone in your org moving things around.  I sure hope not.

screenshot.21

The next step is to create a FEP policy for the domain controllers in the domain controllers collection.

We need to get to the policies node on the left side to create a new policy.

screenshot.27

We’re going to name it domain controllers since this policy will be used for all of the domain controllers.  It’s recommended to put a description.

screenshot.22

We’re going to choose a policy template.  These templates are created by Microsoft as best practices for settings and exclusions based on the role of a server.  I tend to disagree with some settings so I’ll change them later but I’m very happy Microsoft has templates now based on server roles rather than have to create each one from an article.  We’re going to choose FEP domain controller including defaults.

screenshot.23

Just telling you what it’s doing.

screenshot.24

Done!

screenshot.25

Now you’ll see your newly created policy for domain controllers in the policies area.  Changing the settings is out of the scope of this blog but if you do change the settings it DOES NOT change the template, just that policy.  I’m going to save that for another blog.

screenshot.26

Now I bet you want to apply that policy to the domain controllers collection right?  So do I.

Right click on your newly created policy and click assign policy.

screenshot.28

Click add to browse the collections, double click to add, and your selected collection should be there.  If you want you can include sub collections but for this collection there shouldn’t be any sub collections.

screenshot.29

After you click OK you can verify it was advertised.  See the screenshot for location and example.

screenshot.30

Looking at the properties of the domain controllers collection it’s a done deal!  At this point ConfigMgr will try to apply this policy to your domain controllers and fail.  This is because FEP isn’t installed yet.  It’s ok to let it fail.  It won’t modify or change anything with the domain controllers or current antivirus.

screenshot.31

The next step is uninstalling FCS and installing FEP.  This will be simple because FEP will uninstall FCS and the MOM version it installed.  It should also uninstall other AV products.  I’ve already seen issues of FEP not doing this because of tamper protection, uninstall passwords, and Live Update not getting uninstalled and FEP seeing it as a conflicting product.  Since my lab is FCS all I should have to do is deploy FEP to the Domain Controller and it should do the rest.

As you can see when you install FEP it already creates the deployment package.

screenshot.32

Let’s go ahead and create a new Advertisement to deploy FEP

screenshot.33

OOPS.  When FEP got installed it created the package but didn’t copy it to any distribution points.  I’m going to cancel out and do that now.

screenshot.34

OK, the package is copied to the distribution points.  Let’s try this again.

screenshot.35

We want this mandatory so as soon as possible.

screenshot.36

Blah.

screenshot.37

Blah.

screenshot.38

Blah.

screenshot.39

almost…………

screenshot.40

Done!

screenshot.41

I’m going to get a cup of coffee.  By the time I get back my domain controller should have uninstalled FCS and should be running FEP.  By default ConfigMgr clients check in every 60 minutes but in my lab they check in every 10 minutes.

BTW MOM gets uninstalled first then FCS before FEP installs.

You can see FEPinstall.exe is running.

screenshot.43

Hey look at that, FEP is installed and updating.

screenshot.44

Now more than likely you’re get the please restart windows.  The users can decide what to do from here.  This is just the default install so it’s doing default things.

screenshot.45

Let’s re-advertise the script to update the policies now that FEP is installed.  If FEP isn’t installed publishing a policy to a computer won’t do anything like install FEP or break your current anti-virus.

Done and the domain controller now has the domain controller FEP policy.  The Program Error (MIF) was because FEP was not installed on the DC when the policy was deployed to it.  A rerun of the advertisement updates it.  Remember rerun your advertisement if you make a policy change so the clients get the change.

screenshot.46

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s