Enforcing the Client Software Deployment

Updated: January 1, 2011

Applies To: Forefront Endpoint Protection

If the users of the computers to which you deployed FEP have administrative privileges on those computers, they will be able to uninstall the FEP client software. If this happens, those client computers would be unprotected from malware and other unwanted software.

securitySecurity Note:
It is recommended that you restrict to whom you grant administrative privileges on the client computers in your organization. Additionally, you should investigate how the FEP client software was uninstalled on the client computers.

In order to mitigate this circumstance, you can configure Configuration Manager to rerun an advertisement of FEP on a specific collection. By configuring the advertisement to always rerun, you can reduce the amount of time computers in your environment may run without protection.

To complete the mitigation, you must perform the following tasks:

  • Create a FEP deployment package to reinstall the FEP client software on the members of the target collection.

  • Configure the advertisement of the reinstall package to rerun.

  • Assign the reinstall package to one or more collections. For more information about deploying the FEP client software by using packages, see Deploying by Using Configuration Manager Packages.

There are multiple ways to mitigate this scenario. The Locally Removed collection contains all computers from which the client software was locally uninstalled, including servers and high-priority client computers. You should determine if you need to rerun the advertisement on all collection members or if you need to target your rerun advertisement only on specific computers.

Deploying the FEP Client Software to a FEP Collection

One of the preconfigured collections created by the Forefront Endpoint Protection installation on Configuration Manager is the FEP Collections\Deployment Status\Locally Removed collection. Computers listed in this collection previously had the FEP client software installed, but it was locally uninstalled.

If you remove the FEP client software by using an advertisement of the FEP Deployment Uninstall package, the client computers that receive the advertisement do not appear in the Locally Removed collection.

You can create a new collection containing the members of the Locally Removed collection, and then target the members of the new collection with software distribution and an advertisement.

To create a reinstall advertisement

  1. In the Configuration Manager console, expand System Center Configuration Manager, expand Site Database, expand Computer Management, expand Collections, expand FEP Collections, and then expand Deployment Status.

  2. In the tree, click Locally Removed.

  3. In the details area, select the computers on which you want to reinstall the FEP client software, right-click a selected computer, point to Distribute, and then click Software. .

  4. In the Distribute Software to Resource Wizard, on the Welcome page, click Next.

  5. On the Package page, click Select an existing package, click Browse, click the Microsoft Corporation FEP – Deployment 1.0 package, click OK, and then in the wizard, click Next.

  6. On the Distribution Points page, in the Distribution points list, select the check box next to the distribution points to which you want to copy the package, and then click Next.

  7. On the Select Program page, in the Programs list, select the Install program, and then click Next.

  8. On the Advertisement Target page, select the option for Create a new collection containing this resource and advertise this program to the new collection, and then click Next.

  9. On the New Collection page, type a name for the collection, and then click Next.

  10. On the Collection Membership Rules page, in the membership rules list, ensure all the required computers are listed, and then click Next.

  11. On the Advertisement Name page, type a name for the advertisement, and then click Next.

    Advertisement names are limited to 100 characters.

  12. On the Advertisement Subcollection page, select the Advertise the program to members of the collection and its subcollections option, and then click Next.

  13. On the Advertisement Schedule page, next to Advertise the program after, set the time to the current time, select the No, this advertisement never expires option, and then click Next.

  14. On the Assign Program page, select the Yes, assign the program option, select the Ignore maintenance windows when running program check box, and then click Next.

  15. On the Summary page, review the Details, click Next, and then on the Wizard Completed page, click Close.

You should monitor the deployment status for the client computers in the new collection. After the advertisement has been assigned to the computers, in this new collection, the computers are moved into the Pending Deployment FEP collection. This is the same process that happens after you deploy the FEP client software initially. For more information about that process, see Validating Deployment.