When deploying the FEP client during OS Deployment the normal command line used to install the FEP client doesn’t work, the recommendation is to use the following command instead ”Fepinstall.exe /q /s”, see this article for more information http://social.technet.microsoft.com/wiki/contents/articles/how-to-deploy-fep2010-client-via-osd-and-test-deployment.aspx

I have deployed the FEP client a couple of times now and I have had some problems with the fact that that installing the FEP client according the article above doesn’t import the default desktop policy, I have had scripts blocked and it has caused some other interesting problems for me during OS Deployment.
Therefore I exported the FEP policy I want to apply and installed the FEP client using the “/policy” option. This option however requires the full path to the policy file so for instance “/policy windows7all.xml” will not work. Applying the policy during OS deployment also solves the problem that users start using the computer before the policy is applied through Configuration Manager, which also can cause problems.

The below steps describes the procedure to use a default policy for the FEP client during OSD.

  1. In the SCCM Console export the Policy you want to apply during OS deployment by right-click and chose “Export Policy”, I will export it as “Windows7all.xml”
    FEP-Policy
  2. Save the file in a directory which is already shared or can be shared and is accessible for the clients. The network access account and the domain computers should have at least read permissions.
  3. In the SCCM console browse to the package created by the Forefront installation program called “Microsoft Corporation FEP – Deployment 1.0”.
  4. Under programs, create a new program with the following command line “fepinstall.exe /q /s /policy \\sccm01\apps\feppolicy\Windows7all.xml” and the following settings:
    - Run:  Hidden
    - Program can run: “Whether or not a user is logged on” (Do not check “Allow users to interact with this program”)
    - Check the option “Allow this program to be installed from the Install Software task sequence without being advertised.”
  5. Add an “install software” step to the OS Deployment Task Sequence and the policy will be applied during OS Deployment.

By applying the policy which will be used on all my clients, the problems I experienced during OSD is solved. This is no enterprise solution but a simple wrapper script would solve that, which copies the files locally and that executes the command to install the Forefront Endpoint Protection Client.