We’ve seen a lot of questions from customers asking whether Client Security can be deployed and managed in an enterprise environment with tens of thousands of users. You can manage an enterprise deployment of more than 10,000 clients from a single Client Security console.
Forefront Client Security Enterprise Manager provides administrators the ability to manage multiple Client Security deployments from a single server.
After you install Enterprise Manager you are able to centrally manage:
Enterprise Manager aggregates data from each configured Client Security deployment in your organization. This aggregated data allows you to centrally view reports on all your Client Security deployments. Enterprise Manager also eases Client Security policy management among multiple Client Security deployments.
We wanted to update you about an issue with FEP that you may have seen in your organization. This is a known issue, and we’ll keep you up to date with developments.
Periodically, the FEP data collection job (FEP_GetNewData_FEPDW_xyz) fails. When the job fails, the FEP Health Management Pack for Operations Manager and the FEP BPA report an error with the FEP datawarehouse job either failing or not running. The failure is in one of the following job steps:
This happens because of the following scenario:
In the previous posts, we’ve described the FEP monitoring experience using FEP dashboard, reports and alerts. However, daily security routines often include some more “advanced” scenarios of security investigation.
When looking at malware activity, an administrator may want to consume the raw data from FEP and look at it from different angles. For example, administrators might like to get answers to the following questions:
In order to support such scenarios, we’ve added a new database view which holds all malware activity detected by FEP. This view can be queried by external tools such as SIEM (Security Information and Event Management) products for longer-term retention, correlation or reporting.
For those administrators who need immediate access to FEP data, we’ve brought the FEP database view together with the Microsoft Excel pivot table feature. With FEP, we are providing an Excel file (FEP-S Reports Sample.xlsx) which can be used to support the scenarios just mentioned. You can download it with the FEP Security Management Pack download (http://www.microsoft.com/downloads/en/details.aspx?FamilyID=ab50ace0-1f68-453a-85bb-61de286ec4c8)
Note: The Excel file was tested using Office 2010. In order to use it you need to have read access to the FEP historical database (or at least to the vwFEP_AM_NormalizedDetectionHistory database view).
In the FEP-S Reports Sample.xlsx workbook, the FEP Detection Log worksheet provides a table of all FEP detections. You may filter, search or sort by any of the provided columns.
Tip: Throughout the spreadsheet, we use a red icon in order to highlight events that have happened in the last 24 hours, and a yellow icon for those events that have happened in the last 7 days.
The FEP Malware Log worksheet provides a pivot view of malware activity per malware type.
Ziv Rafalovich, Senior Program Manager
We have received reports of an installation issue with our March update of Forefront Client Security when the option of “install updates and shutdown” is used. We wanted to be clear on the issue and exactly what steps we are taking to rectify it.
A computer attempts to use the install updates and shutdown Windows feature to update to the latest version of FCSv1. After restart, the computer does not have the Antimalware agent installed, but will still have the Security State Assessment(SSA) and Microsoft Operation Manager components installed.
This issue only occurs on Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. It does not occur on Windows XP, Windows Server 2003 or Windows 2000. This issue was not introduced in the March Update. It is caused by a previously undetected problem in the October 2010 update. Please review the steps below for what options you should take.
For the bug to occur, the system must have either th policy setting changing the default shutdown behavior or the user clicks on “Apply updates at Shutdown”. If the update is deployed or manually installed in other ways, this bug does not occur.
What can I do to address this issue myself?
There are a number of workarounds that can be used currently.
Avoiding the issue
If you have computers which experience this issue and are now unprotected, there are a number of options
What is Microsoft doing to address this?
We are doing the following:
We take the support of our customers very seriously. If you need additional assistance please contact your support professional or visit http://support.microsoft.com/ph/12632 .
Sincerely, the Microsoft Forefront Client Security Engineering team.
Today (8 March 2011), we released an update to FCSv1. Changes include:
For already installed FCS client installations, install the update for Microsoft Knowledge Base article 2508823 (http://support.microsoft.com/kb/2508823).For new FCS Client installations, deploy the client components listed in Microsoft Knowledge Base article 2508824 (http://support.microsoft.com/kb/2508824).
For more information about the update, Microsoft Knowledge Base article 2508823 (http://support.microsoft.com/kb/2508823) has the detail.
Windows 8 comes with Windows Defender (WD) included and has no built-in manageability. WD is primarily a consumer product, like Microsoft Security Essentials (MSE) that is shipped in the box with Windows 8.
Windows Defender is NOT included with Windows Server 2012, see the table below for a supported version of a Microsoft Antimalware product.
System Center Endpoint Protection (SCEP) and Forefront Endpoint Protection (FEP) will always disable WD during the SCEP/FEP installation process.
FEP 2010 and SCEP RTM will not support Windows 8 or Windows Server 2012 although the support for both is scheduled to come with a future update for Configuration Manager 2007/FEP 2010 and Service Pack 1 for System Center 2012 Configuration Manager.
NOTE: Windows Defender that comes with Windows 8 includes antimalware protection!
All Microsoft Antimalware protection clients listed below will be using the same underlying technologies and offer the same level of protection:
The table below gives an overview of the supported Microsoft Antimalware Protection products.
Windows 8/Windows Server 2012
Managed with ConfigMgr 2012
SCEP / SCEP SP1
Managed with ConfigMgr 2007
FEP w/FEP Update Rollup 1 + KB2758685
FEP / FEP Update Rollup 1
Windows Defender (NOT on Windows Server 2012)
MSE / SCEP / SCEP SP1 / FEP with install switches
NOTE Please remove any Group Policies containing “Turn off Windows Defender”=Disabled before you deploy SCEP/FEP on Windows 8 clients or you will have issues with definitions not deploying properly. When editing the Windows Defender group policy, click “Turn off Windows Defender” on the right of the window, then click “Edit Policy Setting” to open the “Turn off Windows Defender” dialog box. Click the circle next to “Enabled” to disable Windows Defender.
Diana L. Smith, CISSP | Senior Support Escalation Engineer | Management and Security Division
Get the latest System Center news on Facebook and Twitter:
App-V Team blog: http://blogs.technet.com/appv/ ConfigMgr Support Team blog: http://blogs.technet.com/configurationmgr/ DPM Team blog: http://blogs.technet.com/dpm/ MED-V Team blog: http://blogs.technet.com/medv/ Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/ Operations Manager Team blog: http://blogs.technet.com/momteam/ SCVMM Team blog: http://blogs.technet.com/scvmm Server App-V Team blog: http://blogs.technet.com/b/serverappv Service Manager Team blog: http://blogs.technet.com/b/servicemanager System Center Essentials Team blog: http://blogs.technet.com/b/systemcenteressentials WSUS Support Team blog: http://blogs.technet.com/sus/
The Forefront Server Protection blog: http://blogs.technet.com/b/fss/ The Forefront Endpoint Security blog : http://blogs.technet.com/b/clientsecurity/ The Forefront Identity Manager blog : http://blogs.msdn.com/b/ms-identity-support/ The Forefront TMG blog: http://blogs.technet.com/b/isablog/ The Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/