FCS Deployment Tool console – After computers import

Microsoft Forefront Client Security
Deployment Module
User Guide
Published: June 2008
Version: 1.00 (Build 1007)
Written by: Yaniv Feldman (yaniv@dbnet.co.il)
Information in this document, including URL and other Internet Web site references, is subject to
change without notice. Unless otherwise noted, the companies, organizations, products, domain names,
e-mail addresses, logos, people, places, and events depicted.
In examples herein are fictitious, and no association with any real company, organization, product,
domain name, e-mail address, logo, person, place, or event is intended or should be inferred.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights
under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval
system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or
otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property
rights covering subject matter in this document. Except as expressly provided in any written license
agreement from Microsoft, the furnishing of this document does not give you any license to these
patents, trademarks, copyrights, or other intellectual property.
© 2008 Microsoft Corporation. All rights reserved.
Microsoft, Active Directory, Excel, Forefront, Windows, Windows Server, and Windows Vista are either
registered trademarks or trademarks of Microsoft Corporation in the United States and/or other
countries.
Contents
Contents.................................................................................................................................... 3
Introduction .............................................................................................................................. 4
Installation ................................................................................................................................ 5
Pre-Requisites for FCS Deployment Tool .................................................................................... 5
Pre-Requisites for Client Deployment ........................................................................................ 5
Installation Procedure.............................................................................................................. 5
User Interface ............................................................................................................................ 6
Microsoft FCS Deployment Start-up screen ................................................................................ 6
Configure Deployment Options ................................................................................................. 7
Client Installation Shares ...................................................................................................... 7
Installation Account Settings ................................................................................................. 7
Simultaneous Installation Threads ......................................................................................... 8
Collection Server ................................................................................................................. 8
Management Group ............................................................................................................. 8
Import Computers ................................................................................................................... 8
Import Computers Wizard .................................................................................................... 9
Select Computers from the network ...................................................................................... 9
Select Active Directory Organizational Unit ........................................................................... 11
Select Computers from Active Directory ............................................................................... 12
FCS Deployment Tool console – After computers import ........................................................... 13
FCS Deployment Tool console – After computers import ........................................................ 13
FCS Deployment additional information ..................................................................................... 14
Introduction
Forefront Client Security (FCS) is an Anti-Malware application developed by Microsoft and it is
currently running in its first version.
Read this guide if you want:

Deploy FCS (Forefront Client Security) using FCS Deployment tool.
For more detailed information about Client Security deployment and features, see the
Client Security Deployment Guide (http://go.microsoft.com/fwlink/?LinkId=86998) and the Client
Security Administrator's Guide (http://go.microsoft.com/fwlink/?LinkId=86997).
This User Guide provides a brief introduction to Forefront Client Security Deployment tool, including
an overview of the user interface and high-level features, and links to other resources for getting help
with the product.
The Forefront Client Security Deployment Tool is a free toolkit that is meant to provide additional
deployment capabilities in addition to those who are available with the original FCS product. This
utility gives network and security administrators the ability to scan their network and/or AD, discover
existing solutions that are already installed on their clients, uninstall the existing solution and install
FCS Client – all in one.
This is tool is a free utility and was not developed my Microsoft. It is not supported by Microsoft in
anyway.
Installation
Pre-Requisites for FCS Deployment Tool
The following pre-requisites must exist on the computer where you want run the FCS Deployment Tool
on:
1. Forefront Client Security Server Infrastructure Deployed and functioning.
2. .net Framework 2.0
3. .net Framework 3.0
In addition to those pre-requisites, you should make sure you also have the following available before
starting the deployment operation:
1. Shared directory with 32bit FCS Client Installation files.
2. Shared directory with 64bit FCS Client Installation files.
3. User with administrative privileges on all designated deployment targets (computers).
Pre-Requisites for Client Deployment
1. Make sure Client Pre-Requisites exists on all deployment designated targets (the deployment
tool only installs the XP mini-filter incase that it is missing):
a. Windows Vista: No Pre-Requisites.
b. Windows XP: Service Pack 2 and above, Windows Update Agent 2.0, Windows Installer
3.1
c. Windows 2000: Service Pack 4 and above, GDI+ Hotfix, Windows Update Agent 2.0,
Windows Installer 3.1
2. Disable all Client removal protection - This means that you must disable all password
protection or enforcement features on your current Anti-Virus Solution before you will be able
to use the deployment tool.
3. Connectivity – FCS Deployment Tool uses RPC and NetBIOS to deploy the FCS Client Agents.
There for it needs ports 135,137,139. Our recommendation is to disable client firewall for the
target deployments up until the deployment is finished.
Installation Procedure
Extract the Zip file into a specified folder on the management server and click
Microsoft.FSC.deployment.exe to activate the tool.
User Interface
The FCS Deployment tool's User interface if provided as a single wizard guided console.
Microsoft FCS Deployment Start-up screen
This screen is used FCS Client Deployment default start-up screen. In order to begin the deployment
process, you should click the "Configure Deployment Options" button on the upper left corner of the
screen.
Configure Deployment Options
Client Installation Shares

32bit Client – this text box should contain the full path (UNC Share) to the directory that
contains the bits for the 32bit client of FCS. The directory should contain the following files:
clientsetup.exe, mp_ambits.msi, fcsssa.msi, momagent.msi and a localized version of
914882kb (xp mini-filter hotfix).

b- this text box should contain the full path (UNC Share) to the directory that contains the bits
for the 64bit client of FCS. The directory should contain the following files: clientsetup.exe,
mp_ambits.msi, fcsssa.msi, momagent.msi and a localized version of 914882kb (xp mini-filter
hotfix).
Note: usually, the 64bit folder will be located under the 32bit share and will be called x64 (this is the
case if you copy the client folder from the FCS media into a local folder and share it).
Installation Account Settings
 Username – This text box should contain a username (in the format of DOMAIN\Username) of
a user that has administrative privileges on the target machines.
 Password – this text box should contain the password of the installation user account.
Simultaneous Installation Threads
This text box allows you to determine that amount of process that will run simultaneously on the
deployment process. The amount of process is limited up to 50 threads in order to maintain network
and server stability. By selecting an amount of threads you wish to run on parallel, and deploying to a
larger group of target machines, the process creates a queue for the rest of the computers and starts
that deployment process on the next machine in the list as soon as the first one is over (FIFO).
Collection Server
This field should contain the FQDN (fully qualified domain name) of the collection server that you
wish the FCS client will report to.
Note: in case you have a one-server topology, this will be also the management server. In case you
have a more than one server topology, make sure you write name of the collection server and not
the management server.
Management Group
This field should contain the management group name. by default, the MG name should be
"ForefrontClientSecurity", unless it was changed when you installed the FCS server.
Import Computers
Import Computers Wizard
This wizard gives you 3 options for selecting you deployment targets:
 Select Computers from the network – This option tell FCS to scan your network neighborhood
and gives you a list of computers found to choose from.
 Select all computers from an Active Directory Organizational Unit – This option gives you a
choice of Active Directory OU's to choose from. Once you have chosen a specific OU, all
computer accounts within will be selected as deployment targets.
 Select specific computers from Active Directory – this options allows you to choose specific
computers by searching for computer accounts in Active Directory.
After selecting an option, click next to move to the next phase of the wizard.
Select Computers from the network
On the right side of the window, you can find the list of computers that has been detected from your
network neighborhood.
On the left side of the window, you can find the list of deployment targets.
Select computers from the right list and click the "add" button in order to make the selected
computers part of the deployment target list.
Select computers from the left list and click the "remove" button in order to remove the selected
computers from the deployment target list.
Once finished selecting deployment targets, click the finish button in order to begin import the list of
computers to FCS Client deployment console.
Select Active Directory Organizational Unit
In this window, you can choose a specific Organizational Unit from the local Active Directory Domain.
After selecting and OU, click finish and all the computer account within the selected OU will be
imported to the FCS client deployment console as deployment Targets.
Select Computers from Active Directory
This window allows you to search for computer accounts by name in active directory, and add them
to the deployment target list in the FCS client deployment console.
You have two options for selecting the computer account:
-
Type the selected computer name and click the "check names" button. Repeat this process until
adding all selected computers.
-
Click the advanced button, and then click search. From the list that opens, select computer
accounts that you wish to deploy FCS client on, and click OK.
FCS Deployment Tool console – After computers import
FCS Deployment Tool console – After computers import
At this stage, on the screen, you resume the list of target machines with status, but now the Deploy,
Stop and Reset deployment operations are available.
In case you receive a message of an offline host, check for firewall settings on the host computer to
see if it allows RPC and WMI communications. The simplest way to troubleshoot this is to turn the
firewall off to see if that has an effect on the status checking process.
Deploy – this button begin a deployment operation that includes the following stages:
1) Connecting to the target machine.
2) Uninstalling Existing Antivirus solution.
3) Installing Forefront Client Security Client Agents on the target machine.
Stop – this button stops the deployment operation. Once the operation is stopped, it cannot be
resumed, and a new operation has to be started. When you click the stop button, the deployment
process will not stop immediately, but only clear the remaining target machines in the queue. It will
still try to finish the deployment process currently running on some machines.
Reset deployment Operation – this button resets the deployment operation and clears all target
deployment machines from memory. This button puts back to the initial screen of the client
deployment tab.
FCS Deployment additional
information
Client Security is designed to protect computers running the Windows Vista™, Microsoft Windows
Server 2003, Windows® 2000 Server, and Windows XP and Windows Server 2008 operating systems.
For more information, see Client Security System Requirements
(http://go.microsoft.com/fwlink/?LinkID=77561).
Your topology decision should be based on several factors, including the number of clients in your
environment, your hardware budget, and reporting requirements. Before you install Client Security, it
is highly recommended that you read the Client Security Planning and Architecture Guide
(http://go.microsoft.com/fwlink/?LinkId=87275). The Planning and Architecture Guide contains
detailed information that can help you make your deployment decisions.
Before installing Client Security server components, you should verify that the appropriate network
ports are open on any server firewall. In some cases, firewalls between Client Security servers should
be disabled. For details about preparing for and deploying Client Security, see the Client Security
Deployment Guide (http://go.microsoft.com/fwlink/?LinkId=86998).