Forefront Endpoint Protection Client
Applies To: Forefront Endpoint Protection
Forefront Endpoint Protection client deployment refers to the installation and configuration of the Forefront Endpoint Protection client software in your enterprise. Before deploying the Forefront Endpoint Protection client software to computers in your production environment, learn about the deployment process (for more information, see Client Deployment), create a deployment plan based on your organization’s security requirements, test your plan in a lab environment, and once you are confident in your plan, proceed to deploy the Forefront Endpoint Protection client software in your production environment.
When planning your deployment, take into consideration the information in the following sections.
Policies
Create Forefront Endpoint Protection policies to match your organization's security settings and apply them to Forefront Endpoint Protection clients. For more information, see About Configuring Clients by Using Policies.
System Requirements
Before deploying the Forefront Endpoint Protection client software, make sure that your client computers meet the minimum system requirements for installation. For more information, see Prerequisites for Deploying Forefront Endpoint Protection on a Client.
The Forefront Endpoint Protection client software requires that you install a Network Inspection System hotfix on client computers running one of the following operating systems:
Windows Vista Service Pack 1 (SP1)
Windows Vista Service Pack 2 (SP2)
Windows 7
Windows Server 2008
Windows Server 2008 Service Pack 2 (SP2)
Windows Server 2008 R2
If this hotfix is not already installed on the computer, the Forefront Endpoint Protection client deployment package installs it. Since this hotfix requires the computer to be restarted, consider downloading hotfix KB981889 (https://go.microsoft.com/fwlink/?LinkID=204112) and deploying it to client computers before deploying the Forefront Endpoint Protection client.
Note
The Network Inspection System (NIS) on the Forefront Endpoint Protection client does not function until the client computer is restarted; however, the antimalware protection functions as normal without a computer restart.
Competitive Uninstall
The Forefront Endpoint Protection client deployment package checks for and uninstalls the existing antimalware client. For a list of antimalware clients that are uninstalled, see Prerequisites for Deploying Forefront Endpoint Protection on a Client.
The following is a list of issues that can interfere with uninstalling an existing antimalware client:
If the previously installed antimalware client has a tamper-protection feature enabled, for example, if the software is password protected, you need to disable that tamper protection before you can install Forefront Endpoint Protection. Otherwise, the Forefront Endpoint Protection installation program will not be able to uninstall the existing antimalware client. See the documentation for the previously installed antimalware client for information about tamper protection or other settings you may need to configure before you can successfully uninstall the software.
If the existing antimalware client is in use by another process when the Forefront Endpoint Protection installation program attempts to uninstall it, the uninstall can fail and in this instance, the Forefront Endpoint Protection client will not be installed.
If you use a mechanism to automatically distribute and install antimalware to your client computers, you need to disable automatic installation before you install Forefront Endpoint Protection. For example, if you use Windows Server Update Services (WSUS) to distribute Forefront Client Security (FCS) to your endpoints, before you install Forefront Endpoint Protection, you need to configure WSUS to not automatically reinstall FCS.
Forefront Endpoint Protection Client Deployment Options
The Forefront Endpoint Protection client software can be deployed in two ways, both of which can be used to deploy Forefront Endpoint Protection to client computers in your organization. For more information on client deployment methods, see FEP 2010.
You can use Configuration Manager distribution to centrally manage and monitor the deployment of Forefront Endpoint Protection to client computers in your existing infrastructure. With this method, you can control to which Configuration Manager collections the client is deployed, and utilize the provided reports to determine deployment status or investigate information about computers on which the client failed to deploy and why.
If you are not using Configuration Manager, have computers that are not managed by Configuration Manager, or you prefer an alternative distribution method, you can manually deploy Forefront Endpoint Protection to client computers. In this scenario, you can apply Forefront Endpoint Protection policies using Setup command line switches. For more information on manually deploying Forefront Endpoint Protection with policies, see Deploying the Client Software by Using the Command Prompt.
Definition Updates
Configure the Forefront Endpoint Protection client software to check for updates from multiple sources. For more information, see Configuring Definition Updates.
| Definition update method | More information |
|---|---|
Configuration Manager/WSUS |
For more information about configuring WSUS for definition updates, see Software Updates and Windows Server Update Services Definition Updates. |
Microsoft Update |
For more information about configuring Microsoft Updates, see Microsoft Update Definition Updates. |
File share |
For more information about configuring a file share for definition updates, see File-Share-Based Definition Updates. |