FEP 2010 Support for the Datacenter

Hello Administrators,

Today we announce Microsoft Forefront Endpoint Protection (FEP) 2010 release candidate (RC) to the public. For us, the FEP team, it is an exciting date which takes us closer to the Release to Manufacture date. For every product team in MS the RTM date marks the ends of a very long path of product development. Please, go ahead and download the release candidate. We are looking for your feedback!

The release candidate has several improvements over the beta we release in July. In this blog post and the several posts that would be published in the next few days, we will describe these improvements in detail.

One of the exciting new features in FEP is FEP support for the data center. We are proud to introduce 3 new features: (i) a set of predefined policies for common server workloads (ii) FEP Security Management Pack, and (ii) group policy support for the FEP client.

FEP 2010 Predefined Security Policies

One of the major pains we heard from administrators over the years is the difficulty of configuring servers such that they are both secured and highly available. To address this pain, FEP 2010 includes a set of pre-defined security policies for 15 server workloads. For each workload, the policy contains unique settings customized for the workload. For example, the predefined policy for SQL Server contains a list of SQL processes that should be excluded from real time protection, otherwise SQL performance could be significantly degraded.


The predefined policies are built based on the knowledge of security experts across Microsoft and performance experts from the various workload teams. For example, the SQL pre-defined policy was reviewed by the SQL team, and even run on the SQL performance lab to ensure that the recommended policy does not impose significant performance overhead. Using these predefined policies, administrators can easily deploy endpoint security to the organization’s servers, using the FEP console within the Configuration Manager console (Figure 1). Please, go ahead and deploy the policies and send us suggestions for improvement (via the FEP forum).


Figure 1: The FEP New Policy Wizard. The administrator can easily choose a pre-defined policy for more than 15 server workloads.

FEP 2010 Security Management Pack

Many server administrators told us that their preferred monitoring tool is System Center Operations Manager. Hence, the FEP 2010 RC also includes the FEP 2010 Security Management Pack. This is standard management pack that can be imported to Operations Manager 2007 R2 and to be used for real time monitoring, alerting, and remediation of security incidents generated by the FEP client.


The FEP 2010 Security Management Pack serves two goals. First, organizations that use Operations Manager to monitor servers can now use their preferred tool also for security monitoring. Second, for organizations that require guaranteed real time monitoring for their critical systems, like servers, the management pack uses Operations Manager real-time capabilities to ensure real-time reporting.


Besides real-time monitoring and alerting, the FEP 2010 Security Management Pack includes a cool reporting feature. If you install Operations Manager Reporting Services, you can install also the FEP 2010 Security Reporting MP (included with the FEP Security Management Pack download). Once installed, you can use Excel to connect to the Operations Manager DB and generate your own custom reports. Really cool, try it ('fep2010 security mp.msi' on the download page) !


FEP 2010 Group Policy Support

From the early days of Forefront Client Security, we’ve heard customers asking to manage endpoint protection using Group Policy. In FEP 2010 RC, we enable this feature.

The FEP 2010 RC provides the following support for group policy management

  • We provide an ADMX file that enables administrators to control the FEP client settings using Group Policy. The ADMX file provides granular control of over 100 FEP 2010 client settings and is intended to be used on computers that either do not have the Configuration Manager client installed or require granular settings that are not available using the Configuration Manager policy mechanism.
  • The Forefront Endpoint Protection 2010 Group Policy tool enables administrators to translate FEP policies into Group Policy. This means that administrators can define a policy using FEP 2010 console, export it to an XML file using the FEP console, use the Group Policy tool (Figure 2) to translate it into a Group Policy object, (keeping the policy semantics), and then distribute the policy using the Group Policy mechanism. We will continue to discuss the Group Policy tool, in one of our future posts.



Figure 2: The Forefront Endpoint Protection 2010 Group Policy tool enables administrators to translate FEP policies to group policies.

So, it is time for you to try the FEP RC version, and it is time for us to get back to work and to release the RTM version.

Shai Rubin

Senior Program Manager