Deploying Forefront Client Security Using SCCM 2007 - Step-By-Step
This is a Step-By-Step guide for using SCCM2007 to Deploy Forefront Client Security Client Agents.
1. Installed and configured FCS management server.
2. FCS Policy configured and deployed on client machines.
3. Windows Update policy Configured and deployed on client machines.
4. Client Installation Files (the Client directory on the installation CD) on a shared directory on the FCS server (only read permissions needed).
Creating the Installation Package
1. Open SCCM 2007 Console and then go to Computer Management -> Software Distribution -> and right click Packages -> New -> Package.
2. Configure all package details and click next.
3. On the Data Source tab, configure the data source as the file share you've created with the client setup files on the installation server. On the scheduling part, you can choose to leave it by default, or configure a schedule for updating the client package.
After finished with all the settings, click finish.
I've chosen 6 hours since I'm downloading the new definitions every days using a script and updating the installation package everyday to be installed with the newest definitions.
4. Now go back and expand the newly created package. The first thing we need to do is to configure a distribution point for the package. For that, right click the distribution points -> New Distribution points.
5. On the distribution points wizard, walk through the welcome screen and on to the Copy package window. Then select the specified distribution point you wish to distribute your package from (the default choice should be the SCCM server itself). Then click next and close.
6. The next phase is creating the program to run the clientsetup.exe. in order to that, go back to the SCCM console and expand the FCS package. Right click programs ->New -> Program.
7. On the general page, type a program name and comment and then configure the command line you need to run the clientsetup.exe with. It should be something like:
clientsetup.exe /CG ForefrontClientSecurity /MS fcsserver.domain.com.
On the Run selection, I recommend using hidden in order not to disturb your users while deploying FCS.
Then click next.
8. On the requirements page, enter a 350MB disk space limit (the limitation by FCS pre-requisites). Then limit the platforms this program can run upon: since we are currently building a package using the x86 client agent version, we need to select only x86 platforms. In addition, we cannot select all x86 2000 and XP since the FCS client is limited to 2000SP4 and XPSP2, so pay attention and check only the proper platforms.
Then click next.
9. On the Environment page, choose that program can run whether or not the user is logged on (which automatically checks the "Run with administrative rights" option.
Note: you should have configured by the administrative account used to install programs. If not, you can find more information about configuring SCCM accounts on: http://technet.microsoft.com/en-us/library/bb680323.aspx .
Then Click next.
10. Go through the Adavanced, Windows Installer ,MOM Maintenance and summery pages and click close.
Note: you configure things you want under advanced or mom maintenance if you wish, but this is not necessary.
Note: The package with just created is used for installing the x86 client agent. In case you have x64 platforms in your domain you need to repeat the process and create a x64 package. Just pay attention when choose the running platforms, only select the x64 systems.
Creating a Task Sequence to Removing existing AV solution and Deploy FCS Package
1. Open SCCM 2007 Console and then go to Computer Management -> Operating System and right click Task Sequence -> New -> Task Sequence.
2. On the create new task sequence page, select "Create a new custom task sequence" and click next.
3. On the task sequence informatino page, type the task sequence name choose the x86 boot image (or x64 – depends on your client agent deployment). Then click next and close.
4. Now go back to the console and on the task sequence window, right click the newly created task sequence and select edit.
5. Now we create the task sequence that will run on the client.
Click Add-> General run command line.
6. Fill in the proper details and on the command line, write the full path to the removal script.
Note: Some AV solutions require a reboot and won't let anything else get installed on the system after removing them before your reboot the system.
If your case is one of those, then after adding the remove XXX task, click Add -> General Restart Computer.
7. Now we need to add the FCS deployment package. Click add -> General -> Install software
8. Now feel the name and description of the Installation task and select install single application, click browse and select the FCS package your created earlier.
9. This phase is optional, although I recommend working through it since this is one of the greatest added values of deploying FCS using SCCM.
After configuring the SCCM WSUS Distribution Point settings and syncing with Microsoft Update, you need to be able to see Forefront Updates (hotfixes) in the Software Update Deployment part of the SCCM console.
Go to Computer Management -> Software Updates -> Update Repository -> Updates -> Microsoft -> Forefront Client Security.
10. Select the Updates that relate to FCS and right click -> Deploy Software Updates. Make sure you choose only updates named "Update for Microsoft Forefront Client Security" and not the "Client Update for Microsoft Forefront Client Security".
11. On the Software updates general page, type a name for the software update deployment and click next.
12. On the deployment template, click create new (unless you already have a deployment template you wish to use – then you can skip this step).
13. On the collection page, choose the collection where you wish to deploy forefront and click next.
14. On the Display/Time Settings, choose Suppress display notifications on client, client local time and set the deadline to 1 hour. Then click next.
15. On the Restart settings page, check the suppress restart on servers and workstation and click next.
16. Go through the Event Generation and Download Settings (leaving them in default settings) and on the create template, give a new name to the template and click next.
17. On the deployment Package page, name the newly created package and fill out the package source UNC (Specifies the location of the software update source files. When the deployment is generated, the source files are compressed and copied to the distribution points that are associated with the deployment package).
Note: The shared folder for the deployment package source files must be manually created before proceeding to the next page.
18. On the distribution points page, click browse and add your default Distribution point. Then click next.
19. On the download location page, choose from the internet and click next.
20. On the language selection page, select the relevant languages and click next.
21. Move thorugh the schedule, Nap evaluation and summery pages, and click close.
22. Now what we want to do is to add all the updates to the installation package and by that, making sure our clients are installed from the beginning with the most up-to-date version of all the client engines.
Go back to the task sequence you've created earlier and edit it. Click add -> General -> Install Software Updates.
23. Type the name for this task, choose mandatory software updates and click ok.
Note: another optional way of adding the updates to the package is downloading the update directly from Microsoft update catalog (http://catalog.update.microsoft.com/v7/site/Search.aspx?q=forefront), packaging them and adding them is an install software task in the task sequence.
Advertising the Task sequence
1. Go back to the SCCM console and right click the task sequence you created and choose advertise.
2. Fill the name and comment for the advertisement and choose the collection where you wish to distribute FCS. Then click next.
3. On the schedule page, select your preferred schedule for deployment. I usually work with "as soon as possible. Then click next.
4. On the distribution point page, select the Access content directly option and click next.
5. Go through the Interaction, Security and summery pages leaving everything in default settings and click close.
That’s it! You've deployed FCS using SCCM2007. Congratulations!