Forefront Endpoint protection Basic Configuration Step By Step
in ” Forefront Endpoint protection installation Step By Step ” we seen how to install FEP in this post we will see how to make basic configuration .
so we will do
- Policy Deployment
- Client deployment with Enforced installation
- Client update Using file share
Policy Deployment
we start by navigating to forefront endpoint protection
and we create new policy
A-Desktop policy
next step we have to assign the policy to a collection 
and we done
B-Server(s) policy
Microsoft had added lot of templates almost for all server types
so we follow the same path as the desktop policy but with the following differences
for vanilla server policy we choose the default policy for servers
and that’s the policy’s
Client deployment with Enforced installation
we need to create and advertisement for the package
so we add a a distribution point for all our FEP packages (the nearest as possible to the clients if it was over wan
make sure that the package installed (copied ) to the DP
we create advertisement
we navigate to advertisements and we change the priority to high
next we do the same for servers collections and locally removed
Note: for locally removed please use “Always rerun program”
please note that You can assign multiple policies to a Configuration Manager collection and a computer can be a member of multiple collections that have a policy assigned. The Forefront Endpoint Protection client uses policy precedence to determine which policy to apply. The policy with the highest precedence assigned to the computer is applied by the Forefront Endpoint Protection client.
we can also use GPO to deploy the policy but this is for advanced configurations (about100 option )
Client update Using file share
note: you should always try to use WSUS as your update server personally I use only file share for the first deployment because the first update is about 30 to 100M and the daily update about 1M
we create a folder called updates (must be named updates ) with the following as subfolder
x64
x86
each folder should have this two files
- Mpam-fe.exe
- Nis_full.exe
note : make sure everyone have read access on both share permissions and also security permissions
you can get both files from
Download the required files from the following locations:
For x64:
- Antimalware definitions (http://go.microsoft.com/fwlink/?LinkID=121721&clcid=0×409&arch=x64 )
- Network-based exploit definitions (http://go.microsoft.com/fwlink/?LinkId=197094)
For x86:
- Antimalware definitions (http://go.microsoft.com/fwlink/?LinkID=121721&clcid=0×409&arch=x86 )
- Network-based exploit definitions (http://go.microsoft.com/fwlink/?LinkId=197095 )
now we just go to our policy’s and change its configuration
