Using the FEP Best Practices Analyzer

Updated: January 1, 2011

Applies To: Forefront Endpoint Protection

The Forefront Endpoint Protection Best Practices Analyzer (BPA) includes checks to scan both Forefront Endpoint Protection (FEP) and Configuration Manager for configuration problems, missing dependencies, incorrect settings, or other issues that could adversely affect the health of your FEP installation.

  • The FEP BPA checks are based on the Microsoft Baseline Configuration Analyzer (MBCA) version 2.0. In order to run the FEP BPA, you must download and install the MBCA (

  • The MBCA requires Windows PowerShell 2.0. Windows PowerShell 2.0 is included with Windows Server 2008 R2, but must be installed for Windows Server 2008 or Windows Server 2003. To download Windows PowerShell 2.0, see Microsoft Knowledge Base article 968929 (

  • You must run MBCA and the FEP MBCA checks on the Configuration Manager server on which you installed FEP.

  1. After you download the FEP BPA, copy it to your Configuration Manager server, and then double-click fepBPASetup.msi.

  2. In the FEP 2010 Best Practices Analyzer Setup wizard, select the I accept the terms in the license agreement check box, click Next, and then click Finish.

The FEP BPA includes configuration checks for various Configuration Manager features, as well as FEP dependencies and prerequisites that are important to FEP health.

The following table lists the check categories and describes of some of the checks included with this release of the FEP BPA.


FEP BPA check category Description

SQL Server checks

Reviews the status and configuration of the computers running SQL Server that host the FEP databases.

Configuration Manager Desired Configuration Management checks

Reviews the DCM checks that are used to populate the FEP dashboard, ensures they are assigned to collections, and checks to make sure that the configuration items for FEP are not corrupted or missing.

Package, policy, and advertisement checks

Reviews FEP packages, policies, and advertisements for the correct number (no defaults have been deleted) and that they are correctly assigned.

Alert checks

Reviews the number of FEP alerts to make sure that they are assigned to collections correctly and that the SMTP port is correctly assigned (for e-mailing of alerts).

Events and general FEP configuration checks

Collects and displays information for recent FEP errors and events, as well as some registry settings and a list of the FEP files installed on the computer.

Configuration Manager configuration checks

Reviews the status and configuration of the Configuration Manager installation and services important to the health of FEP.