These are brief notes on how configure ForeFront Endpoint Protection (FEP) 2010 to work with System Center Configuration Manager (SCCM) 2007 R2 and set the FEP client to receive definition updates from the SCCM server.

Install the FEP 2010 prerequisites on the SCCM http://technet.microsoft.com/en-us/library/ff823830.aspx

Install FEP on the server.  I chose a Basic installation as I wanted all components to install on to the SCCM server.

I wanted the FEP updates to be controlled by SCCM, so installed this hotfix http://support.microsoft.com/kb/2597508

Next I downloaded the Definition Update Automation Tool for Forefront Endpoint Protection 2010 Update Rollup 1 http://blogs.technet.com/b/clientsecurity/archive/2011/11/03/how-to-use-the-definition-update-automation-tool-for-forefront-endpoint-protection-2010-update-rollup-1.aspx

Follow the instructions at the link above under the section “How to Configure Configuration Manager for Forefront Endpoint Protection Update and Create Deployment Package and Assignment”  This creates a Deployment Package and Assignment to install the FEP definition updates.

To schedule the update of the FEP definition package with the latest definitions follow the instructions under the section “How to Use Definition Update Automation Tool with Task Scheduler”.

Open your FEP policy and in the Updates tab tick “Use Configuration Manager as the primary source of definition updates”

As I configured the FEP updates to be controlled by SCCM, when the FEP client is first installed the icon turns red because the definitions are out of date.  If you leave the client, it will eventually have the latest definitions pushed to it by SCCM.  However, I wanted to have protection from installation.  In order to get this working I enabled automatic approval of the FEP updates within WSUS.  Using the FEP policy you’re able to tell FEP to go to WSUS for updates if the definitions are older than x days.

To configure WSUS, open the WSUS console from Administrative Tools and navigate to Options.  Open Automatic Approvals, click New Rule and configure it as below.  WSUS will now automatically download FEP updates and they’ll be available to FEP clients via the policy.

If you still have issues with the FEP client updating after installation e.g. when deploying as part of an SCCM operating system task sequence, you can force a definition from a file share.  Setup a script to download the definitions to a share and schedule it to run daily using Task Scheduler.  These two posts provide information on how to create the script: http://blogs.technet.com/b/clientsecurity/archive/2010/09/16/using-a-script-to-automate-unc-definition-updates.aspx http://technet.microsoft.com/en-us/library/gg398041

In the SCCM task sequence add a reboot task after FEP has been installed.  Configure the reboot step to reboot into the currently installed operating system

Next, add a Command Line step.  Update the share path to match the location of the FEP definitions in your environment.  This will run a manual definition update from the file share.