When deploying the FEP client during OS Deployment the normal command line used to install the FEP client doesn’t work, the recommendation is to use the following command instead ”Fepinstall.exe /q /s”, see this article for more information http://social.technet.microsoft.com/wiki/contents/articles/how-to-deploy-fep2010-client-via-osd-and-test-deployment.aspx
I have deployed the FEP client a couple of times now and I have had some problems with the fact that that installing the FEP client according the article above doesn’t import the default desktop policy, I have had scripts blocked and it has caused some other interesting problems for me during OS Deployment.
Therefore I exported the FEP policy I want to apply and installed the FEP client using the “/policy” option. This option however requires the full path to the policy file so for instance “/policy windows7all.xml” will not work. Applying the policy during OS deployment also solves the problem that users start using the computer before the policy is applied through Configuration Manager, which also can cause problems.
The below steps describes the procedure to use a default policy for the FEP client during OSD.
- In the SCCM Console export the Policy you want to apply during OS deployment by right-click and chose “Export Policy”, I will export it as “Windows7all.xml”
- Save the file in a directory which is already shared or can be shared and is accessible for the clients. The network access account and the domain computers should have at least read permissions.
- In the SCCM console browse to the package created by the Forefront installation program called “Microsoft Corporation FEP – Deployment 1.0”.
- Under programs, create a new program with the following command line “fepinstall.exe /q /s /policy \\sccm01\apps\feppolicy\Windows7all.xml” and the following settings:
– Run: Hidden
– Program can run: “Whether or not a user is logged on” (Do not check “Allow users to interact with this program”)
– Check the option “Allow this program to be installed from the Install Software task sequence without being advertised.” - Add an “install software” step to the OS Deployment Task Sequence and the policy will be applied during OS Deployment.
By applying the policy which will be used on all my clients, the problems I experienced during OSD is solved. This is no enterprise solution but a simple wrapper script would solve that, which copies the files locally and that executes the command to install the Forefront Endpoint Protection Client.
Hi,
I am struggling installing FEPClient myself, via SCCM to over 200 workstations. I have packaged it and advertised it, but it doesn’t seem to be installing on the workstations. I tried to follow your procedure above, but not sure how you did the policy. Could you please assist me in that.
Thanks
Hi,
Are you installing it during OS Deployment?
If not are you using the vbscript option which is included in the installation of FEP? then you have to select “Download this program before” otherwise the installation will fail.
That is where I am confuse. I am currently using this command “fepinstall.exe /q /s” and some places I have search the wanted me to use requires drive letter instead of use UNC name. My confusion now is, which method to use that will work. And for the script, I am not sure what script or policy you guys are referring. I am not sure how to write the script or where to get the policy from. In step one you just state to right-click and export, you did not include where to go to right-click and export. To make matters short, can you please just explain to me the simplest way to package the FEPInstall.exe client in SCCM providing me the script if there is any or showing a point-to-point instruction. You don’t have to show images if you don’t want to. I guess my main issue is the command line and the script and/or policy. I don’t know how to go about those.
Hi,
When you ditribute the FEP client to already deployed computers, you can use the already created package:
Microsoft Corporation FEP – Deployment 1.0
Just advertise the package called “install”, and set it to download locally and not “run this program from distribution point”
The command line used is:
cscript.exe Policies\ApplyPolicy.vbs “FEPInstall.exe /s /q ”
It will actually apply a policy on the client asswell during deployment.
Using the command line “FEPinstall.exe /s /q” or as I wrote here with the policy extension will only have to be used during OS deployment.
So deploying the FEP client to already installed computers:
1. Add the “Microsoft Corporation FEP – Deployment 1.0” package to the distribution points necessary
2. Advertise the program “Install” from the FEP – Deployment 1.0 package to the collection of your choice, use “download content from distribution point and run locally”
That should do it.
My question now is, where is the policy located and how does the install client know what policy is it:
cscript.exe Policies\ApplyPolicy.vbs “FEPInstall.exe /s /q ”
where is the csscript.exe located?
Where is the ApplyPolicy.vbs located?
What should be the settings under environment?
Drive Mode:
-Runs with UNC name
-Requires Drive Letter
-Requires specific drive letter
Which of the above should I check?
The script is located in the folder where FEP is installed for instance on the SCCM server, E:\Program Files\Microsoft Forefront\Client\
cscript.exe is the vbscript scripting enginge which exists on all windows computers.
Run with UNC and remember to use “download content from distriubtion point and run locally” in the advertisement and then you should be fine.
/Jörgen
So, what I have tried to do is reset my sccm server before seeing your last message. And I was trying to reinstall forefront server on my sccm machine and got the following messages below:
This is the prerequisite check. I am surprise because I have the service pack 2 version installed.
Error: Setup has detected that the version of the Configuration Manager installed on this computer does not meet the prerequisite requirements. Upgrade the Configuration Manager installation to Configuration Manager 2007 Release 2 Service Pack 2.
This is during the install of forefront server.
Setup cannot access SQL Reporting Services. Verify that the reporting server is properly configured and accessible.
Have you installed Configuration Manager R2 or R3? One of these is required as the reporting services support came with first with R2 and R3.
Hi Jörgen, I would like to know how can I manually install forefront endpoint client and at the same time to communicate with the endpoint in the sccm console, is it possible to manually install FEP and specify that it shall be communicated to the console sccm?
I have installed configuration manager R3 and I am still having an error message:
Setup cannot access SQL Reporting Services. Verify that the reporting server is properly configured and accessible. For more information, see http://go.microsoft.com/fwlink/?LinkId=164912.
URL:http://uhc-sccm/ReportServer
Error message:Unexpected response was received from SQL Reporting Services
Have you configured Reporting Services and copied or imported at least one report to Reporting Services so that everything is configured and working?
I did configured reporting service, but I had couple of things still showing red instead of green… Not sure if everything suppose to be green. And, how do I copy or import reporting service?
Hi
My name is Haruna Baldeh i just finish installing my forefront server and added two client computer to it and am now trying to deploy the FEP to the to the client but the deployment is not going can some one tell me what to do please
In the cmd file, use %~dp0POLICYNAME
%~dp0 makes the command look into the local folder for the file appended after it.
so if your folder is c:\Install %~dp0 will make the command look for c:\install\POLICYNAME
A good idea!
/Jörgen