Deploying Forefront Client Security Using SCCM 2007 – Step-By-Step

20 בפברואר 2008

This is a Step-By-Step guide for using SCCM2007 to Deploy Forefront Client Security Client Agents.

Pre-Requisites:

1. Installed and configured FCS management server.

2. FCS Policy configured and deployed on client machines.

3. Windows Update policy Configured and deployed on client machines.

4. Client Installation Files (the Client directory on the installation CD) on a shared directory on the FCS server (only read permissions needed).

Creating the Installation Package

1. Open SCCM 2007 Console and then go to Computer Management -> Software Distribution -> and right click Packages -> New -> Package.
clip_image002

2. Configure all package details and click next.
clip_image004

3. On the Data Source tab, configure the data source as the file share you've created with the client setup files on the installation server. On the scheduling part, you can choose to leave it by default, or configure a schedule for updating the client package.
After finished with all the settings, click finish.
I've chosen 6 hours since I'm downloading the new definitions every days using a script and updating the installation package everyday to be installed with the newest definitions.
clip_image006

4. Now go back and expand the newly created package. The first thing we need to do is to configure a distribution point for the package. For that, right click the distribution points -> New Distribution points.
clip_image008

5. On the distribution points wizard, walk through the welcome screen and on to the Copy package window. Then select the specified distribution point you wish to distribute your package from (the default choice should be the SCCM server itself). Then click next and close.
clip_image010

6. The next phase is creating the program to run the clientsetup.exe. in order to that, go back to the SCCM console and expand the FCS package. Right click programs ->New -> Program.
clip_image012

7. On the general page, type a program name and comment and then configure the command line you need to run the clientsetup.exe with. It should be something like:
clientsetup.exe /CG ForefrontClientSecurity /MS fcsserver.domain.com.
On the Run selection, I recommend using hidden in order not to disturb your users while deploying FCS.
Then click next.
clip_image014

8. On the requirements page, enter a 350MB disk space limit (the limitation by FCS pre-requisites). Then limit the platforms this program can run upon: since we are currently building a package using the x86 client agent version, we need to select only x86 platforms. In addition, we cannot select all x86 2000 and XP since the FCS client is limited to 2000SP4 and XPSP2, so pay attention and check only the proper platforms.
Then click next.
clip_image016

9. On the Environment page, choose that program can run whether or not the user is logged on (which automatically checks the "Run with administrative rights" option.
Note: you should have configured by the administrative account used to install programs. If not, you can find more information about configuring SCCM accounts on: http://technet.microsoft.com/en-us/library/bb680323.aspx .
Then Click next.
clip_image018

10. Go through the Adavanced, Windows Installer ,MOM Maintenance and summery pages and click close.
Note: you configure things you want under advanced or mom maintenance if you wish, but this is not necessary.
clip_image020

Note: The package with just created is used for installing the x86 client agent. In case you have x64 platforms in your domain you need to repeat the process and create a x64 package. Just pay attention when choose the running platforms, only select the x64 systems.

Creating a Task Sequence to Removing existing AV solution and Deploy FCS Package

1. Open SCCM 2007 Console and then go to Computer Management -> Operating System and right click Task Sequence -> New -> Task Sequence.
clip_image022

2. On the create new task sequence page, select "Create a new custom task sequence" and click next.
clip_image024

3. On the task sequence informatino page, type the task sequence name choose the x86 boot image (or x64 – depends on your client agent deployment). Then click next and close.
clip_image026
clip_image028

4. Now go back to the console and on the task sequence window, right click the newly created task sequence and select edit.
clip_image030

5. Now we create the task sequence that will run on the client.
Click Add-> General run command line.
clip_image032

6. Fill in the proper details and on the command line, write the full path to the removal script.
clip_image034
Note:
Some AV solutions require a reboot and won't let anything else get installed on the system after removing them before your reboot the system.
If your case is one of those, then after adding the remove XXX task, click Add -> General Restart Computer.
clip_image036

7. Now we need to add the FCS deployment package. Click add -> General -> Install software
clip_image038

8. Now feel the name and description of the Installation task and select install single application, click browse and select the FCS package your created earlier.
clip_image040

9. This phase is optional, although I recommend working through it since this is one of the greatest added values of deploying FCS using SCCM.
After configuring the SCCM WSUS Distribution Point settings and syncing with Microsoft Update, you need to be able to see Forefront Updates (hotfixes) in the Software Update Deployment part of the SCCM console.
Go to Computer Management -> Software Updates -> Update Repository -> Updates -> Microsoft -> Forefront Client Security.
clip_image042

10. Select the Updates that relate to FCS and right click -> Deploy Software Updates. Make sure you choose only updates named "Update for Microsoft Forefront Client Security" and not the "Client Update for Microsoft Forefront Client Security".

11. On the Software updates general page, type a name for the software update deployment and click next.
clip_image044

12. On the deployment template, click create new (unless you already have a deployment template you wish to use – then you can skip this step).
clip_image046

13. On the collection page, choose the collection where you wish to deploy forefront and click next.
clip_image048

14. On the Display/Time Settings, choose Suppress display notifications on client, client local time and set the deadline to 1 hour. Then click next.
clip_image050

15. On the Restart settings page, check the suppress restart on servers and workstation and click next.
clip_image052

16. Go through the Event Generation and Download Settings (leaving them in default settings) and on the create template, give a new name to the template and click next.
clip_image054

17. On the deployment Package page, name the newly created package and fill out the package source UNC (Specifies the location of the software update source files. When the deployment is generated, the source files are compressed and copied to the distribution points that are associated with the deployment package).
Note: The shared folder for the deployment package source files must be manually created before proceeding to the next page.
clip_image056

18. On the distribution points page, click browse and add your default Distribution point. Then click next.
clip_image058

19. On the download location page, choose from the internet and click next.
clip_image060

20. On the language selection page, select the relevant languages and click next.
clip_image062

21. Move thorugh the schedule, Nap evaluation and summery pages, and click close.
clip_image064

22. Now what we want to do is to add all the updates to the installation package and by that, making sure our clients are installed from the beginning with the most up-to-date version of all the client engines.
Go back to the task sequence you've created earlier and edit it. Click add -> General -> Install Software Updates.
clip_image066

23. Type the name for this task, choose mandatory software updates and click ok.
clip_image068
Note: another optional way of adding the updates to the package is downloading the update directly from Microsoft update catalog (http://catalog.update.microsoft.com/v7/site/Search.aspx?q=forefront), packaging them and adding them is an install software task in the task sequence.

Advertising the Task sequence

1. Go back to the SCCM console and right click the task sequence you created and choose advertise.
clip_image070

2. Fill the name and comment for the advertisement and choose the collection where you wish to distribute FCS. Then click next.
clip_image072

3. On the schedule page, select your preferred schedule for deployment. I usually work with "as soon as possible. Then click next.
clip_image074

4. On the distribution point page, select the Access content directly option and click next.
clip_image076

5. Go through the Interaction, Security and summery pages leaving everything in default settings and click close.
clip_image078

That’s it! You've deployed FCS using SCCM2007. Congratulations!

הוסף תגובה
facebook linkedin twitter email

כתיבת תגובה

האימייל לא יוצג באתר. (*) שדות חובה מסומנים

29 תגובות

  1. Ihab21 בפברואר 2008 ב 17:44

    This is better than a TR session dude! Please though enhance the quality of the screenshots as enlarged images are still small! Thanks

    להגיב
  2. yanivf22 בפברואר 2008 ב 0:40

    Happy to hear that you like :-)
    I've your request to my attention and will do that next time.

    להגיב
  3. Nirali28 בפברואר 2008 ב 14:56

    Hey,

    I really appreciate your solution. It is really helpful. But my query is a little bit different than this.We have installed FCS and SCCM both on one server. Now, we wanna manage updates through SCCM.

    Details:

    OU: FCS scan policy is deployed on this OU. WSUS policy for automatic updates installation is also deployed on this OU. Now, due to this policy client machines are getting updates through WSUS. So, there is no use of SCCM Server.What if we wanna manage both???

    Can you help on this.. You can also write back to me at npatel@iristechnology.co.in

    Waiting for your comments..Thanks…

    להגיב
  4. DSPECHT16 במאי 2008 ב 5:22

    Thanks for creating this great step by step guide.. The way you so thoroughly covered the subject is going to make my job easier tomorrow… Woohoo!

    להגיב
  5. Tiago26 ביוני 2008 ב 15:31

    On my SSCM 2007 in the sep 9 on the list:

    Computer Management -> Software Updates -> Update Repository -> Updates -> Microsoft

    The Forefront Client Security don't appear, I also check in the:

    Component Configuration -> Software Update Point Componet -> Properties -> Products

    and the Forefront Client Security don't appear in the list.

    But in the same server (same WSUS) when I go it the WSUS 3.0 SP1 manager directly in the:
    Options -> Produt and Classifications
    the Forefront Client Security appear.

    I already did a sincronization in the SSCM 2007 and the Forefront Server is instaled on the same machine.

    What I need to do to show the Forefront Client Security product in the SSCM 2007 updates?

    להגיב
  6. John Dattalo15 באוגוסט 2008 ב 16:57

    Why do you need to select a boot image for the Task Sequence if its just a software install?

    להגיב
  7. Who needs a video - 28 באוגוסט 2008 ב 11:13

    Thank you for your step by step guide.

    I loved it and it worked.

    I appreciate what you did here for all the techs of the world installing ForeFront using SCCM.

    U r Awesome.

    Thank you Jesus for this person. Bless them.

    להגיב
  8. DJ24 בנובמבר 2008 ב 2:44

    The way you have explained the deployment process is awesome. I am new to SCCM but have been plannning to use for it for the mass deployment of FCS agent on the client machines. just for the sake rollback, we are also looking for the uninstallation methods.

    I would appreciate if you could enlighten us the process (if there is any :-) ) of the uninstalling the agent through SCCM.

    Cheers,
    DJ

    להגיב
  9. mr sneaky6 בפברואר 2009 ב 9:25

    will you share your script to automatically download the forefront updates ? I really need a way to automate the forefront updates

    להגיב
  10. jrandom4210 בפברואר 2009 ב 18:56

    It's not working at all for me. No matter what I do, I still keep getting 0×0000667 error code that aborts the task sequence. I'm ready to dump ForeFront if I can't deploy the client through SCCM.

    להגיב
  11. jrandom4211 בפברואר 2009 ב 20:40

    Solved the problem. Can't run Clientsetup.exe by itself. You either have to use the /CG and /MS switches to specify the Client Group and the Management server, or the /NOMOM switch. Otherwise, it won't install from the program. And whatever task sequence you put it into will abort with the 0×00000667 error

    להגיב
  12. NSC14 ביולי 2009 ב 18:56

    I was able to create an uninstall package for our current AV but have yet to build one that successfully installs the forefront client. I've been manually installing the client using the same command line that you suggested, but when I build an instll package around it, it fails. Any suggestions?

    להגיב
  13. Fred8 בדצמבר 2009 ב 21:22

    I'm confused by your instructions to update the Forefront files. You created the settings to download FCS updates in steps 9-21. In step 22 and 23 you create an update task in Task Sequences, but you don't show how to tie that update task to the update you created in 9-21.

    Also, in step 17 you say to create a shared folder for the update files. Is this just any empty folder that is shared out on my network?

    להגיב
  14. Mike18 בינואר 2010 ב 16:27

    I followed this to a T, I still cannot get Forefront to install on the client machine. Any suggestions?

    להגיב
  15. Dominique26 בינואר 2010 ב 3:56

    Hello,

    In my Software Distribution > Packages > Microsoft – xxxx Forefront Client Security Agent… > Programs I am running the command line:

    CLIENTSETUP.EXE /CG ForefrontSecurity /MS voforefrontcs1

    It fails during the execution with the error:
    Task Sequence: Forefront Install has failed with the rror code (0×00000657). For more information, please contact your system administartor or helpdesk operator."

    Any idea?

    Thanks,
    Dom

    להגיב
  16. Dominique2 בפברואר 2010 ב 2:34

    Hello,

    Creating a Task Sequence to Removing existing AV solution and Deploy FCS Package

    9….Go to Computer Management -> Software Updates -> Update Repository -> Updates -> Microsoft -> Forefront Client Security.

    The screenshots does not show the same place…
    under the path written I don't see anything for Forefront Client Security

    I have something under
    Computer Management -> Software Updates -> Update Repository -> Critical Updates
    -> Microsoft -> Forefront Client Security
    or
    Computer Management -> Software Updates -> Update Repository -> Definition Updates
    -> Microsoft -> Forefront Client Security
    or
    Computer Management -> Software Updates -> Update Repository -> Security Updates
    -> Microsoft -> Forefront Client Security

    Why is it like this?
    I thought the Updates –> Microsoft –> Forefront Client Security would be a summary of all previous items???

    Thanks,
    Dom

    להגיב
  17. Michael24 בפברואר 2010 ב 19:14

    Thank for post, its been a great help. I am having difficulty though with the package installing Forefront. I created an uninstall script to remove Symantec Endpoint Protection 11 and it does so successfully. My script is as follows:

    MsiExec.exe /norestart /q/x {3BAB4914-9CC1-4CC2-A3DA-56EF62DFD373} REMOVE=ALL

    This uninstalls no problem but when I go to install Forefront, it bombs out. I even tried to put in a restart after the Symantec removal, but no go. It reboots into PE, but still bombs with same error. I created the package with the following command line:

    clientsetup.exe /CG ForefrontClientSecurity /MS forefront.ourdomain.com

    We have an OU created as "Forefront" under our current OU that gets updates. We only allow the software to be installed if the system is in that OU. I still can't get it to go. Any suggestions out there?

    Thanks!

    להגיב
  18. Dominique24 במרץ 2010 ב 2:28

    Hello,

    Finally after several failures I was able to deploy to 10 servers without incident.
    Your post is great with all details my issue was to pass from test to production most likely and some glitch 0×80091007

    Now I am checking to add the updates …
    I have only one item 976669 under
    Computer Management -> Software Updates -> Update Repository -> Updates > Microsoft > Forefront Client Security… is it correct… and enough as I have more under..

    Computer Management -> Software Updates -> Update Repository -> Critical Updates -> Microsoft -> Forefront Client Security (4) 976668 – 943846 – 949799 -940060
    and
    Computer Management -> Software Updates -> Update Repository -> Definition Updates -> Microsoft -> Forefront Client Security (1) 977939
    and
    Computer Management -> Software Updates -> Update Repository -> Security Updates -> Microsoft -> Forefront Client Security (1) 975962

    If I do only Computer Management -> Software Updates -> Update Repository -> Updates > Microsoft > Forefront Client Security will I not miss the other updates?

    thanks,
    Dom

    להגיב
  19. Dominique24 במרץ 2010 ב 19:58

    Excellent blog but as Microsoft as repacked KB976668 under KB976669
    it is an issue ""Select the Updates that relate to FCS and right click -> Deploy Software Updates. Make sure you choose only updates named "Update for Microsoft Forefront Client Security" and not the "Client Update for Microsoft Forefront Client Security". ""

    and the new package has this label which should not be taken…

    Any idea?
    Thanks,
    Dom

    להגיב
  20. Dominique24 במרץ 2010 ב 20:29

    Another point:
    "Select the Updates that relate to FCS and right click -> Deploy Software Updates. Make sure you choose only updates named "Update for Microsoft Forefront Client Security" and not the "Client Update for Microsoft Forefront Client Security". "

    - As I selected directly the packages by their names the next time (next month or next FCS updates) I will have to do it again also, am I right?

    Thanks,
    Dom

    להגיב
  21. Dominique4 במאי 2010 ב 20:59

    Hello,

    Thank you for this excellent document. I was able to deploy the client sucessfully with the first batch of updates at the time of the installation…
    But now 2 weeks later no updates have been applied anymore… FCS should have definition after the 4/22/2010 which is the latest I hav installed so far…
    What could be the weak point?

    Thanks,
    Dom

    להגיב
  22. Dominique4 במאי 2010 ב 22:25

    Hello,

    10. Select the Updates that relate to FCS and right click -> Deploy Software Updates. Make sure you choose only updates named "Update for Microsoft Forefront Client Security" and not the "Client Update for Microsoft Forefront Client Security".

    I have nothing like this only the 976669 is under the folder Computer Management -> Software Updates -> Update Repository -> Updates -> Microsoft -> Forefront Client Security.

    Any idea why?
    Thanks,
    Dom

    להגיב
  23. Dominique4 במאי 2010 ב 22:51

    Hello,

    if I do a Serach for "Update for Microsoft for Forefront" in Computer Management > Software Updates > Update Repository > Search Folders > Enterprise Searches > All Patches I am getting 975962, 915597, etc… which seems to be 05/04/2010 … strange the Primary Child does not get them… it got other patches but not these once!!!

    It seems the Forefront patches are not with a Bulletin ID MSxx-yyy… let me review this…

    Thanks,
    Dom

    להגיב
  24. Dominique4 במאי 2010 ב 23:09

    I have the patches under Critical Updates and Definition Updates -> Microsoft -> Forefront Client Security
    not under Updates -> Microsoft -> Forefront Client Security…

    להגיב
  25. Dominique4 במאי 2010 ב 23:17

    Hello,

    or under Critical Updates -> Microsoft -> Forefront Client Security I have the Update for Microsoft Forefront Client Security 979536 – 949799 – 943846 – 940060

    So I wonder if the folder has changed from 2008 until today and I should picked under path for the Software Updates for Forefront?

    Thanks,
    Dom

    להגיב
  26. Dominique5 במאי 2010 ב 22:16

    Hello,

    I wonder which folder should be picked to update (step 9) Forefront:

    Computer Management -> Software Updates -> Update Repository -> Critical Updates -> Microsoft -> Forefront Client Security
    which contains "Update for Microsoft Definition Client Security" (4 itesm)

    or

    Computer Management -> Software Updates -> Update Repository -> Definition Updates -> Microsoft -> Forefront Client Security
    which contains "Definition Update for Microsoft Forefront Client Security"

    Thanks,
    Dom

    להגיב
  27. David30 באפריל 2011 ב 23:38

    Too many clicks to install a very simple antivirus!
    McAfee is three or four clicks, and you are done. With FCS I am lost. I need a degree in Quantum Physics and Applied Mathematics to understand what you wrote, even though it is done as spoon feeding.
    Thanks anyway, I find it useful

    להגיב