FEP Overview

FEP 2010 is implemented as both an extension to System Center Configuration Manager and as a management pack for System Center Operations Manager, which provide enterprise management experience, and a common client (agent) that provides protection on managed machines. That means that if you have System Center Configuration Manager, or System Center Operations Manager installed, then all you have to do is to install the extensions for Configuration Manager, or import the FEP 2010 Security MP into your existing Operations Manager infrastructure in order to add Endpoint Protection functionality.

FEP 2010 has two major System Center components - an add-on for System Center Configuration Manager 2007 (“ConfigMgr”), and one for System Center Operations Manager 2007 (“OpsMgr”). Each FEP component leverages the unique capabilities of the associated management product. Due to differences in the capabilities of ConfigMgr and OpsMgr, each FEP component delivers different functionality.

The FEP extension for ConfigMgr provides deployment, monitoring, reporting, and policy management functionality for FEP, from directly within the ConfigMgr console. The OpsMgr MP provides monitoring and alerting from within the OpsMgr console.

FEP Policy Overview

FEP gives you a choice of two ways to manage policy. First, if you have ConfigMgr deployed and the FEP 2010 product installed, then you can use the FEP node in the ConfigMgr console to author policies. ConfigMgr (via its Software Distribution feature) will deploy the policies for you to the monitored FEP agents. However, if you prefer, or if you do not have ConfigMgr deployed (such as when you are only using the OpsMgr MP), you can use Group Policy to author and distribute policy.

The following chart will help you decide between using ConfigMgr or Group Policy for policy management.

If you ultimately choose to manage policy with ConfigMgr, then you will find that the experience is very straightforward. New policies you create are all based off of a template- you choose a group of settings organized by goal, e.g. “protect domain controllers” or “minimize performance impact to desktops”, etc., and the new policy will contain settings optimized for that goal. You can edit the settings as you wish, and to deploy the policy, simply bind it to a ConfigMgr collection. Only one policy will be in effect for any collection at any given time.

The remainder of this article will describe the experience of using group policy to manage FEP policy.

Managing FEP Policy with group policy

FEP contains a set of tools for helping to manage FEP policy with group policy. These tools include:

1. ADMX and ADML files to enable authoring and editing FEP specific policy settings with group policy
2. FEP2010GPTool.exe, a tool which allows you to import settings from a FEP policy file into a GPO, or export FEP settings from a GPO into a FEP policy file
3. Setting templates (in the form of FEP policy files) for common server roles such as domain controller, SQL server, etc.

At the simplest level, all you need to do to manage FEP policy with group policy is to install the ADMX into your admin tools workstation, create and link a GPO, and edit the FEP policy settings in the GPO, using Group Policy Editor.

However, there are some more advanced scenarios that you might want to think about.

Scenario 1 – Optimizing FEP policy for multiple server roles

In this scenario, let’s assume that you want to deploy optimized settings to your servers. For instance, let’s say that you want domain controllers to get a policy that will cause the least performance impact on the domain controller role, and you want Exchange servers to get a policy that will minimize performance impact on Exchange, etc. Let’s further assume that some of your servers might host more than one role.

There are two ways to go about doing this, and how you choose to do this completely depends on how you prefer to do policy targeting in group policy.

1.1 You prefer to target policies with OU’s or security groups

If you strongly organize your machines into OUs or security groups, then you might just want to create one policy per role and link it to the appropriate OU, or use security filtering in group policy management console (GPMC) to restrict the policy only to the target group. This essentially allows you to specify the target machines individually.

In this case, all you need to do is to create a GPO, link (and filter, if applicable) it appropriately, and then use the FEP group policy tool to import the correct role-specific settings into that GPO.

Here’s a hint- if you have a set of servers that have multiple roles, then you can use the FEP GP tool to import each of the policies into the same GPO. Import the policies in order from lowest precedence to highest precedence, and make sure that you only have the “clear existing FEP settings before import” checkbox checked when you import the first policy. For example, if you have machines that are combination DC + DNS + DHCP servers, then import the following four policies: FEP Default Server policy, FEP DHCP Server policy, FEP DNS Server policy, FEP Domain Controller policy. The “clear settings” box should only be checked when you import the default policy. This will import and merge all the settings into a single GPO.

1.2 You prefer to target policies using WMI filters

If you prefer a more dynamic targeting approach, then you can have group policy layer your policies for you. In this case, you simply create one GPO for the FEP default server policy, and one GPO for each server role. Set the default server policy at lowest precedence. Link all the policies to the domain, and use WMI filtering on each of the policies. For instance, you can restrict the default server policy to servers only by filtering on the ProductType property in the WMI Win32_OperatingSystem class: http://msdn.microsoft.com/en-us/library/aa394239(VS.85).aspx. ProductType is also useful for identifying and filtering domain controllers.

For other roles on Windows Server 2008 and Windows Server 2008 R2, you can use the properties in the Win32_ServerFeature class to identify and filter by role: http://msdn.microsoft.com/en-us/library/cc280268(VS.85).aspx. This works well for built-in roles like IIS and File Server.

For Windows Server 2003 machines, and for roles that aren’t part of Windows, you can use the Win32_Service class to look for services that indicate role presence, e.g. the MSSQLSERVER service identifies SQL machines.

After you have created a WMI filter for each policy and linked your policy to the domain, then group policy will automatically deploy the appropriate settings to each computer. It’s important to ensure that you use GPMC to prioritize the policies correctly so that defaults or lower priority role settings don’t overwrite higher priority role settings.

Scenario 2 – Deploying an identical policy to non-domain-joined computers

This is a very easy scenario. Once you have authored a policy using GPEDIT, if you are happy with the settings and want to deploy the same settings to non-domain-joined servers, then you can use the FEP group policy tool to export the settings you like to a FEP policy XML file, and then you can script the application of that policy.

The export process varies slightly depending on how you handle multiple roles.

If you merge your roles together into single GPOs (as in scenario 1.1 above), then you can simply use the FEP group policy tool to export FEP settings from that GPO.

If you use policy layering (as in scenario 1.2 above), then you should identify a domain joined server with the same set of roles, which has already had your policies applied, and use the FEP GP tool to export the settings from the local group policy object on that server.

There are two ways to apply FEP policy with script. First, you can provide the path to the policy file as a parameter during installation of the agent MSI package. Second, you can use the ConfigSecurityPolicy.exe tool to apply a FEP policy at any point. These topics are covered in the FEP documentation.

Scenario 3 – Duplicating policies between domains

This scenario is also very easy. Simply create GPOs on the “target” domain matching those on the “source” domain, and ensure that they are linked and/or WMI filtered correctly. Then use the FEP group policy tool to export the settings from each GPO in the source domain, and use the tool again to import the appropriate settings into the correct GPO on the target domain.

Eric Fitzgerald,
Senior Program Manager

By Alon Rosental

Forefront Endpoint Protection 2010 Beta is available for Public download!

So now that you’ve downloaded Forefront Endpoint Protection Beta 2010, the next step would be to plan your deployment and get the Forefront Client in your Configuration Manager environment.

This post will focus on how to deploy Forefront Endpoint Protection client to a collection of computers using your existing Configuration Manager infrastructure, how to switch to Forefront Endpoint Protection from an existing deployed antimalware product and how to validate client deployment.

Before deploying Forefront Endpoint Protection in your environment, it is recommended that you review the planning and architecture guide. Also, please refer to the installation guide for information on how to install Forefront Endpoint Protection in your existing Configuration Manager environment.

Note: if you’re interested in manually deploying Forefront Endpoint Protection client to machines that are not managed using Configuration Manager, please refer to the manual deployment instructions.

Once you have installed Forefront Endpoint Protection in your Configuration Manager environment, you are now able to perform a set of additional tasks using the existing configuration Manager infrastructure:

• Deploy Forefront Endpoint Protection clients to collections
• Create or modify Forefront Endpoint Protection policies
• Assign Forefront Endpoint Protection policies to collections
• Monitor Forefront Endpoint Protection via the Forefront Endpoint Protection dashboard
• Configure Forefront Endpoint Protection alerts

Overview of client deployment

Deployment of Forefront Endpoint Protection to clients is comprised of the following set of tasks:

1. Create policies - author polices according to organization requirements, set the precedence of policies, and then assign the policies to a collection of computers. For more information see Creating and Deploying Policies
2. Create an advertisement for the Forefront Endpoint Protection Install program for a designated group of computers, and configure the advertisement settings to control schedule and recurrence
3. Track the deployment progress and verify deployment succeeded

Deploying clients

Once you have completed the tasks of policy creation and assignment, you’re ready to deploy Forefront Endpoint Protection client to computers.
But then again, what happens if you there’s a different antimalware product deployed on the computers you’re targeting that needs to be replaced with Forefront Endpoint Protection client?

In case the designated computers are already running a previous version of Forefront Client Security or a different 3^rd party antimalware product, Forefront Endpoint Protection client setup will uninstall these clients prior to installation.

This automation is intended to simplify and reduce the cost of the deployment process by eliminating the need to author custom scripts to orchestrate the process of replacing products.

Forefront Endpoint Protection detects and attempts to uninstall the following products:

• Symantec Endpoint Protection version 11
• Symantec Endpoint Protection Small Business Edition version 12
• Symantec Corporate Edition version 10
• McAfee VirusScan Enterprise version 8.7 and version 8.5
• TrendMicro OfficeScan version 8.0 and version 10.0
• Forefront Client Security version 1

Deployment Integration with Configuration Manager

This release of Forefront Endpoint Protection includes a Configuration Manager package that contains the Forefront Endpoint Protection client installation program. To deploy the Forefront Endpoint Protection package, you can use the Configuration Manager Software Distribution functionality, propagate the package data to one or more distribution points, and then create advertisements that specify which collections will receive the program and the package.

Advertising the program makes a program available to a specified collection of clients. It is strongly recommended that you test advertised programs in a controlled environment before you create advertisements for the clients in your site hierarchy.

There are multiple ways to distribute the Forefront Endpoint Protection client software to client computers using the Configuration Manager tools. This post provides the steps for one of the deployment methods. For information about other distributions methods, see Software Distribution in Configuration Manager

Step by step deployment instructions

1. In the Configuration Manager console, expand System Center Configuration Manager, expand Site Database, expand Computer Management, and then click Collections.
2. Right-click the collection to which you want to deploy clients, for example, All Systems, point to Distribute, and then click Software.
   1. The Distribute Software to Collection Wizard opens.
3. On the Welcome page, click Next.
4. On the Package page, click Select an existing package, click Browse, click the Microsoft Corporation Forefront Endpoint Protection 2010 – Deployment 1.0 All package, click OK, and then click Next.
5. On the Distribution Points page, select the distribution points for the package, and then click Next.
   1. Configuration Manager uses distribution points to store the files needed by the Forefront Endpoint Protection client installation package in order for the installation program to run on client computers. In essence, they function as distribution centers for the files that the Forefront Endpoint Protection client installation package uses, allowing users to download and run the installation program when the package is advertised. For more information, see About Distribution Points.
6. On the Select Program page, select the Install program, and then click Next.
7. On the Advertisement Name page, enter a name that is less than 100 characters, and then click Next.
8. On the Advertisement Sub collection page and on the Advertisement Schedule page, make your selections, and then click Next.
9. On the Assign Program page, select Yes, assign the program and select the Ignore maintenance windows when running program check box, and then click Next.
10. On the Summary page, review the Details, and then click Next.
11. On the Wizard Completed page, click Close.
12. If necessary, modify the advertisement configuration to suit your environment. You might want to do this in order to set the program rerun behavior to a value other than the default, rerun if failed previous. For information, see How to Modify an Advertisement.

Once you’ve deployed the Forefront Endpoint Protection clients, the next step would be to track the deployment progress and verify that deployment succeeded.

To read additional information about installing and configuring FEP, see the TechNet documentation (http://technet.microsoft.com/en-us/library/ff823816.aspx).

Notes:

• Prior to deploying Forefront Endpoint Protection, verify that you have configured WSUS so that it is synchronizing Updates and Definition Updates. After updates have been synchronized to your WSUS server, clients can connect to the WSUS server to check for applicable updates. Updates will only be offered to clients when they are approved for installation and when the binary download is completed on the WSUS server. Approve the updates for all computers to which you will deploy Forefront Endpoint Protection by configuring an automatic approval rule.
• If you are using a mechanism to automatically distribute and install an antimalware solution to your client computers, you need to disable automatic installation before you install Forefront Endpoint Protection. For example, if you use WSUS to distribute Forefront Client Security (FCS) to your endpoints, before you install Forefront Endpoint Protection, you need to configure WSUS to not automatically reinstall FCS.

Tracking and verifying deployment

To verify that your installation was successful, do the following:

• On the computer where you installed Forefront Endpoint Protection, Click Start, click Control Panel, click Programs, click Programs and Features, and then verify that Microsoft Forefront Endpoint Protection 2010 is listed.
• On the computer running Configuration Manager, in the Configuration Manager console, expand System Center Configuration Manager, expand Site Database, expand System Status, select Advertisement Status, and then review the statistics of the following advertisements:

• Forefront Endpoint Protection 2010 – Deployment - Install to <Target Collection Name>
• Assign FOREFRONT ENDPOINT PROTECTION Policy <Policy Name> to collection <Target Collection Name>

Advertisement statistics are based on data gathered by Configuration Manager at scheduled intervals, and may not reflect the most recent Forefront Endpoint Protection Client deployment information.

• In the Configuration Manager console, expand System Center Configuration Manager, expand Site Database, expand Computer Management, click Forefront Endpoint Protection 2010, and then review the Clients Deployment Status report.

Dashboard statistics are based on data gathered by Configuration Manager at scheduled intervals, and may not reflect the most recent Forefront Endpoint Protection Client deployment information.

Looking forward to your feedback - head over to the TechNet forums (http://social.technet.microsoft.com/Forums/en-us/FCSNext/threads) to let us know what you think.

Thanks!

Alon Rosental, Program Manager – Forefront Endpoint Protection

Today we are pleased to announce the availability of Forefront Client Security Service Pack 1 (SP1).

FCS SP1 adds support for:

Agent protection on Windows Server 2008 – both Server and Core.

Server role support on Windows Server 2008 (server only) for FCS server components.

FCS Enterprise Manager on Windows Server 2008 (server only).

To obtain FCS SP1, first install FCS. After successfully installing FCS, you will be offered SP1 via Microsoft Update. For more information, read the FCS SP1 Release Notes (http://go.microsoft.com/fwlink/?LinkID=126287) or see Microsoft Knowledge Base article 951951 (http://support.microsoft.com/default.aspx/kb/951951)

[Updated 12/16/2011]

Earlier today we released an updated version (found here) of the Definition Update Automation Tool for Forefront Endpoint Protection 2010 Update Rollup 1.  This document provides steps for how to use this tool.

Important Note: We recommend installing the hotfix here if you are using the Definition Update Automation Tool.

Tool Description

With Forefront Endpoint Protection 2010 Update Rollup 1, you now can deploy Forefront Endpoint Protection definition updates to clients by using the Configuration Manager console. There are multiple definition update releases per day, thus making it time-consuming to manually download and deploy each definition update through the Configuration Manager Console. The Definition Update Automation Tool can be used to automate the steps required to keep a deployment of Forefront Endpoint Protection update definitions up to date. The tool will download the latest definition update and update the specified software update deployment with the latest definition. Configuring this tool to run automatically with Windows Task Scheduler or via a Configuration Manager Status Filter Rule can keep a deployment up to date without continuous and repetitive manual processes.

To learn more about managing software updates click here.

Changes since the Last Release

This tool was first released with Forefront Endpoint Protection 2010 Update Rollup 1. This release addresses a number of supportability issues, primarily around logging. 

Bug Fixes:

• Removal of /RefreshDP switch, add new switch: /DisableRefreshDP
• Improved logic to skip updating the deployment package if no content change was detected
• Corrected the default update filter string so it will not retrieve superseded updates and enables functionality when custom updates published by System Center Update Publisher are present

Command line Usage

Command line usage

Usage: SoftwareUpdateAutomation.exe parameters

Parameters:

/Help: Get program usage

/SiteServer: Site server computer name

/UpdateFilter: Filter for selecting software updates that are used for the destination packages

/AssignmentName: Name of destination software updates assignment

/PackageName: Name of destination software update package

/DisableRefreshDP: Disable automatic propagation of updated package to Distribution Points

/Verbose: Enable additional logging.

Example command line

SoftwareUpdateAutomation.exe /AssignmentName FEPDeployment /Package FEP

This example will use local machine as Site Server and use the default UpdateFilter. It will add the latest Forefront Endpoint Protection definition update into Assignment “FEPDeployment” and Package “FEP” and refresh the Distribution Points if any updates were made to the deployment package.

How to use this tool

To run this tool, you must copy the binaries to the Admin UI bin folder:

• <ConfigMgr Install Dir>\AdminUI\bin

Now you can run this tool manually from a command line, or use Task Scheduler or a Status Filter Rule to run it automatically.

Note: This tool will only download the latest Forefront Endpoint Protection definition update and add it to the existing deployment and package. It will not synchronize the definition update into Configuration Manager. It is still necessary to run software update synchronization to synchronize the latest Forefront Endpoint Protection definition update into the Configuration Manager database before you run this tool. Please refer to How to Configure Software Updates Synchronization(http://technet.microsoft.com/en-us/library/bb632893.aspx) for information on how to configure the software update synchronization.  As a best practice, before you run this tool, always make sure that a scheduled software update synchronization has completed.

How to Use Definition Update Automation Tool with Task Scheduler

1. Start Task Scheduler, and in the Actions pane, click Create Task.
2. In the Create Task dialog box, give the task a name, and then, under Security Options, make sure that the user account specified has the appropriate Configuration Manager permissions to update the definition package and definition assignment specified in the command line. To make sure the program has the right to create log under %ProgramData%, check Run with highest privileges.
3. On the Actions tab, click New, and in the New Actiondialog box, specify the following command line to run:
   • <ConfigMgr Install Dir>\AdminUI\bin\SoftwareUpdateAutomation.exe
4. In the Add arguments text box, enter the following arguments and then click OK:
   

   /AssignmentName AssignmentName /PackageName PackageName

   Where AssignmentName is the name of the software deployment for the definitions which you recorded earlier and PackageName is the name of the software package that contains the definitions which you recorded earlier. Parameters are not case sensitive.

5. On the Triggers tab, click New.
6. In the New Trigger dialog box, under Settings, select Daily.
7. Under Advanced settings, select the check box for Repeat task every, in the list click 8 hour, and then next to for a duration of, click Indefinitely.
8. In the New Trigger dialog box, click OK, and then in the Create Task dialog box, click OK.

How to Use Definition Update Automation Tool with Status Filter Rule

Note: This is the recommended scheduling option as it allows the Definition Update Automation Tool to automatically run after a WSUS synchronization completes successfully.

1. In the Configuration Manager console, navigate to System Center Configuration Manager / Site Database / Site Management / <site name> / Site Settings / Status Filter Rules.
2. Right-click Status Filter Rules, click New, and then click New Status Filter Rule.
3. On the General page of the New Status Filter Rule Wizard, specify a name for the new status filter rule and configure the following for the message-matching criteria:
   • Set Source: Configuration Manager Server
   • Component: SMS_WSUS_SYNC_MANAGER
   • Message ID: 6702
4. On the Actions page of the New Status Filter Rule Wizard, specify the following action:

• Run a program
• Program: <ConfigMgr Install Dir>\AdminUI\bin\RunSoftwareUpdateAutomation.bat

Sample RunSoftwareUpdateAutomation.bat:

“<ConfigMgr Install Dir>\AdminUI\bin\SoftwareUpdateAutomation.exe” /AssignmentName ”AssignmentName” /PackageName “PackageName”

Note: It is recommended to put the Definition Update Automation Tool command line in a batch file to prevent problems with the quotes (“).

The status filter Rule runs the tool under the System account. To enable the tool to download, make sure the system account has the appropriate proxy settings.   One option to configure the proxy settings for localsystem is to use the BITSAdmin Tool (for more information on the BITSAdmin Tool, click here).

You can use the command: bitsadmin /util /setieproxy localsystem to set the proxy setting for system account. (eg: bitsadmin /util /setieproxy localsystem myproxy *.mydomain.com)

More information about scheduling

A proper schedule for software update point synchronization is necessary to keep your Forefront Endpoint Protection clients up-to-date. Below is the recommended setting for these schedules when using this tool:

1. Software update point synchronization to run every day.

   In the Configuration Manager console, navigate to System Center Configuration Manager / Site Database / Site Management / <site name> / Site Settings / Component Configuration.

   Right-click Software Update Point Component, click Properties.

   Click Sync Schedule Tab, check Enable Synchronization on a schedule, check Simple schedule and Run every 1 Days.

2. Configure Definition Update Automation Tool to run every time software update point synchronization succeedes as described above in “How to Use Definition Update Automation Tool with Status Filter Rule”.

Additional considerations

There are four suggested Configuration Manager and Forefront Endpoint Protection 2010 topologies: See http://technet.microsoft.com/en-us/library/gg412503.aspx. In this section, we will give suggestions on where to run this tool for each topology.

• Centralized policy control and centralized Forefront Endpoint Protection administration

Run this tool on each central site.

• Centralized policy control and decentralized Forefront Endpoint Protection administration

Run this tool on each child site. Note: the assignment and package you used for this tool must also be created on child site.

• Decentralized policy control and decentralized Forefront Endpoint Protection administration

Run this tool on each child site. Note: the assignment and package you used for this tool must also be created on child site.

• Decentralized policy control and Forefront Endpoint Protection administration with centralized Forefront Endpoint Protection reporting

Run this tool on each child site. Note: the assignment and package you used for this tool must also be created on child site.

Trouble-shooting

SoftwareUpdateAutomation.log will always be the first place to investigate. The log file is located in %ALLUSERSPROFILE%.

You can use the parameter /Verbose to enable verbose logging.

When using Task Scheduler to run the tool, the task must be selected to run as highest privilege. Otherwise, no log file will be created.

Common Errors and Potential Workarounds

How to Configure Configuration Manager for Forefront Endpoint Protection Update and Create Deployment Package and Assignment

1. If needed, install Windows Server Update Services by using Server Manager. For more information, see How to Install Windows Server Update Services 3.0 in the Configuration Manager library on TechNet.
2. If needed, add the software update point site system role to your Configuration Manager environment. For more information about how to add the software update point site system role, see How to Add the Software Update Point Site Role to a Site System in the Configuration Manager library on TechNet.
3. Configure software updates to download the appropriate updates, and configure the synchronization schedule. For steps on configuring the software updates site system role, see How to Configure Software Updates Synchronization in the Configuration Manager library on TechNet.  When you configure software updates, ensure the following items are selected:
   • On the Classifications tab, select Definition Updates.
   • On the Products tab, select Microsoft Forefront Endpoint Protection 2010.
4. Create Deployment Package and Assignment
• In the Configuration Manager console, navigate to System Center Configuration Manager / Site Database / Computer Management / Software Updates / Update Repository/Definition Updates/Microsoft/Microsoft Forefront Endpoint Protection 2010
• In the details pane, click the most recent active Forefront Endpoint Protection 2010 definition update (represented by a green icon),and then click Download Software Updates.
• Create the definition update deployment package by completing the Download Updates Wizard for the selected update. When completing the wizard, ensure the following:
  
      On the Deployment Package page, in the Package Source text box, specify a shared folder with permissions appropriate for software distribution in your organization.
      Make note of the name you give this software package; you need this name for the PackageName parameter for the definition update automation tool, which is configured in a later step.
  
• When finished with the Download Updates Wizard, click Finish.
  
• In the details pane, click the same Forefront Endpoint Protection 2010 definition update from step 2, and then click Deploy Software Updates.
• Deploy the definition updates by completing the Deploy Software Updates Wizard. When completing the wizard, ensure the following:
  
      On the General page, specify a name for the software deployment. Make note of this name; you need this name for the AssignmentName parameter for the definition update automation tool, which is configured in a later step.
      On the Deployment Template page, select Create a new deployment definition.
      On the Collection page, click Browse and then select the target collection.
      On the Display/Time Settings page, set the Duration to 2 hours, and if you want users to not be notified that an update is available, select Suppress display notifications on clients.
      On the Create Template page, specify a name for the template.
      On the Schedule page, select As soon as possible. If you selected to suppress display notifications, verify that Set a deadline for software update installation is selected, and verify the deadline time.
      When finished with the Deploy Software Updates Wizard, click Finish.

--Jason Lewis

This posting is provided "AS IS" with no warranties and confers no rights.

From Ariel Katz, Director of Program Management:

I am pleased to announce that Forefront Endpoint Protection 2010 Beta is publicly available for everyone to download.

FEP, the next generation release of Forefront Client Security, will simplify and improve endpoint protection while greatly reducing infrastructure costs. It builds on System Center Configuration Manager 2007 R2, enabling you to use the existing client management infrastructure to deploy and manage endpoint protection.  This shared infrastructure lowers ownership costs while providing improved visibility and control over endpoint management and security.

Key new features that you will be able to evaluate in this beta release are:

• Integration with Configuration Manager -  Single interface for managing and securing endpoints reduces complexity and improves troubleshooting and reporting insights.

• New Antivirus Engine -  Highly accurate and efficient threat detection protects against the latest malware and rootkits with low false positive rate.  

• New behavioral threat detection -  Protection against “unknown” or “zero day” threats provided through behavior monitoring, emulation, and dynamic translation.

• Dynamic Cloud Updates: On-demand signature updates from the cloud for suspicious files and previously unknown malware

• Windows Firewall management -  Ensures Windows Firewall is active and working properly on all endpoints, and allows administrators to more easily manage firewall protections across the enterprise.

The download is available now on our download center (http://www.microsoft.com/downloads/details.aspx?FamilyID=8b46c3ff-d9a0-4741-8ba5-458c1b3d2257) and I invite you to install and test in your environment today. We look forward to hearing what you think. 

Ariel Katz, Director of Program Management