Menu
CCMEXEC.COM – Enterprise Mobility
  • Home
  • General
  • Configuration Manager
  • Windows 10
  • Intune
  • GitHub
  • Windows 11
  • About the author
CCMEXEC.COM – Enterprise Mobility

Forefront Endpoint protection and Locally Removed

Posted on November 17, 2011November 17, 2011 by Jörgen Nilsson

In Forefront Endpoint protection 2010 there is no possibility to password protect the uninstallation of the FEP client. This makes it possible for instance for local admins to remove the FEP Client.
I started testing to advertise the FEP client to the “Locally Removed” collection where the client will end up if the FEP client is uninstalled. At least that was what I thought…

The above statement is true if you install the FEP client using the Package/program and advertisement in SCCM if you deploy the FEP client using for instance an OSD task sequence, or manually the client is added to the “Not Targeted” collection instead.

Note: And if you wonder the installation and the uninstall of the FEP client triggers a SCCM hardware inventory on the client immediately, to speed up the process of reporting an updated inventory to the SCCM server.

So, I solved it using the following setup in SCCM, including a standard exclusion collection as the customer asked for the possibility to exclude certain computers from FEP.

I have created two sub-collections for my Microsoft FEP collection:

-FEP – Install

-FEP – Exclusion

FEP_Install1

The following query is used for the FEP – Install Collection:

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.ResourceId not in (select distinct SMS_R_System.ResourceId from  SMS_R_System inner join SMS_G_System_ADD_REMOVE_PROGRAMS on SMS_G_System_ADD_REMOVE_PROGRAMS.ResourceID = SMS_R_System.ResourceId where SMS_G_System_ADD_REMOVE_PROGRAMS.DisplayName = "Microsoft Forefront Endpoint Protection") and SMS_R_System.ResourceId not in (select distinct SMS_R_System.ResourceId from  SMS_R_System inner join SMS_G_System_ADD_REMOVE_PROGRAMS_64 on SMS_G_System_ADD_REMOVE_PROGRAMS_64.ResourceID = SMS_R_System.ResourceId where SMS_G_System_ADD_REMOVE_PROGRAMS_64.DisplayName = "Microsoft Forefront Endpoint Protection") and SMS_R_System.Active = 1 and SMS_R_System.ResourceId not in (select ResourceID from SMS_CM_RES_COLL_02000087)

When you import the query change the SMS_CM_RES_COLL_02000087 in the query to reflect the CollectionID of the FEP-Exclusion collection in your environment.

The query includes:

  • Only active clients
  • Coputers where Microsoft Forefront Endpoint Protection client is not installed, both x86 and x64
  • Computers that are not members of the FEP-Exclusion collection.

You can limit the FEP-Install collection to for instance “All Windows Workstation and Professional Systems” if you don’t want to include servers.

Then I advertise the Microsoft FEP client package using the package/program included in the installation of FEP and advertise it with the following settings:

FEP_Install2

Then the installation will rerun even if the FEP client is removed and added back more than once.

I hope this is useful to more than me.

  • Configuration Manager
  • FEP 2010
  • 3 thoughts on “Forefront Endpoint protection and Locally Removed”

    1. Simon says:
      December 2, 2011 at 2:10 pm

      Hi.
      I have added your query to a collection, but without the ” and SMS_R_System.ResourceId not in (select ResourceID from SMS_CM_RES_COLL_02000087)” as we have no servers excluded. However the collection gets populated by 1200 of 1400 servers, most of which have FEP installed?

      Reply
    2. Evil says:
      December 15, 2011 at 6:15 pm

      Thanks for this! I learned a new technique for creating a dynamic collection, and have many uses for it beyond just FEP.

      Reply
    3. Pingback: Make it harder to uninstall the FEP client - CCMEXEC.COM – System Center blog

    Leave a Reply Cancel reply

    Your email address will not be published. Required fields are marked *

    This site uses Akismet to reduce spam. Learn how your comment data is processed.

    My name is Jörgen Nilsson and I work as a Senior Consultant at Onevinn in Malmö, Sweden. This is my blog where I will share tips and stuff for my own and everyone elses use on Enterprise Mobility and Windows related topics.
    All code is provided "AS-IS" with no warranties.

    Tweets by ccmexec

    Recent Posts

    • Windows Servicing, Personal Teams and Success.cmd
    • Windows MDM Security Baseline – Settings Catalog
    • Configuring MS Edge Security Baseline v107 using Settings Catalog
    • Configuring Desktop App Installer using CSP and script?!
    • Customizing Taskbar and Start in Windows 11 22h2 with PowerShell

    ©2023 CCMEXEC.COM – Enterprise Mobility | WordPress Theme by Superb Themes
    This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish.Accept Reject Read More
    Privacy & Cookies Policy

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT