Forefront Endpoint protection Basic Configuration Step By Step

In ” Forefront Endpoint protection installation Step By Step ” we seen how to install FEP in this post we will see how to make basic configuration .
so we will do

• Policy Deployment
• Client deployment with Enforced installation
• Client update  Using file share

Policy Deployment
we start by navigating to forefront endpoint protection

and we create new policy

A-Desktop policy







next step we have to assign the policy to a collection

and we done
B-Server(s) policy
Microsoft had added lot of templates almost for all server types
so we follow the same path as the desktop policy but with the following differences

for vanilla server policy we choose the default policy for servers



and that’s the policy’s
Client deployment with Enforced installation
we need to create and advertisement for the package
so we add a a distribution point for all our FEP packages (the nearest as possible to the clients if it was over wan

make sure that the package installed (copied ) to the DP

we create advertisement







we navigate to advertisements and we change the priority to high

next we do the same for servers collections and locally removed


Note: for locally removed please use “Always rerun program”
please note that You can assign multiple policies to a Configuration Manager collection and a computer can be a member of multiple collections that have a policy assigned. The Forefront Endpoint Protection client uses policy precedence to determine which policy to apply. The policy with the highest precedence assigned to the computer is applied by the Forefront Endpoint Protection client.
we can also use GPO to deploy the policy but this is for advanced configurations (about100 option )
Client update  Using file share
note: you should always try to use WSUS as your update server personally I use only file share for the first deployment because the first update is about 30 to 100M and the daily update about 1M
we create a folder called updates (must be named updates )  with the following as subfolder
x64
x86
each folder should have this two files

• Mpam-fe.exe
• Nis_full.exe

note : make sure everyone have read access on both share permissions and also security permissions
you can get both files from
Download the required files from the following locations:
For x64:

• Antimalware definitions (http://go.microsoft.com/fwlink/?LinkID=121721&clcid=0×409&arch=x64 )
• Network-based exploit definitions (http://go.microsoft.com/fwlink/?LinkId=197094)

For x86:

• Antimalware definitions (http://go.microsoft.com/fwlink/?LinkID=121721&clcid=0×409&arch=x86 )
• Network-based exploit definitions (http://go.microsoft.com/fwlink/?LinkId=197095 )

now we just go to our policy’s and change its configuration