Forefront Endpoint protection and Locally Removed

In Forefront Endpoint protection 2010 there is no possibility to password protect the uninstallation of the FEP client. This makes it possible for instance for local admins to remove the FEP Client.
I started testing to advertise the FEP client to the “Locally Removed” collection where the client will end up if the FEP client is uninstalled. At least that was what I thought…

The above statement is true if you install the FEP client using the Package/program and advertisement in SCCM if you deploy the FEP client using for instance an OSD task sequence, or manually the client is added to the “Not Targeted” collection instead.

Note: And if you wonder the installation and the uninstall of the FEP client triggers a SCCM hardware inventory on the client immediately, to speed up the process of reporting an updated inventory to the SCCM server.

So, I solved it using the following setup in SCCM, including a standard exclusion collection as the customer asked for the possibility to exclude certain computers from FEP.

I have created two sub-collections for my Microsoft FEP collection:

-FEP – Install

-FEP – Exclusion


The following query is used for the FEP – Install Collection:

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.ResourceId not in (select distinct SMS_R_System.ResourceId from  SMS_R_System inner join SMS_G_System_ADD_REMOVE_PROGRAMS on SMS_G_System_ADD_REMOVE_PROGRAMS.ResourceID = SMS_R_System.ResourceId where SMS_G_System_ADD_REMOVE_PROGRAMS.DisplayName = "Microsoft Forefront Endpoint Protection") and SMS_R_System.ResourceId not in (select distinct SMS_R_System.ResourceId from  SMS_R_System inner join SMS_G_System_ADD_REMOVE_PROGRAMS_64 on SMS_G_System_ADD_REMOVE_PROGRAMS_64.ResourceID = SMS_R_System.ResourceId where SMS_G_System_ADD_REMOVE_PROGRAMS_64.DisplayName = "Microsoft Forefront Endpoint Protection") and SMS_R_System.Active = 1 and SMS_R_System.ResourceId not in (select ResourceID from SMS_CM_RES_COLL_02000087)

When you import the query change the SMS_CM_RES_COLL_02000087 in the query to reflect the CollectionID of the FEP-Exclusion collection in your environment.

The query includes:

  • Only active clients
  • Coputers where Microsoft Forefront Endpoint Protection client is not installed, both x86 and x64
  • Computers that are not members of the FEP-Exclusion collection.

You can limit the FEP-Install collection to for instance “All Windows Workstation and Professional Systems” if you don’t want to include servers.

Then I advertise the Microsoft FEP client package using the package/program included in the installation of FEP and advertise it with the following settings:


Then the installation will rerun even if the FEP client is removed and added back more than once.

I hope this is useful to more than me.


Add a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.