2012년 3월 28일 수요일 오후 12:57
We're looking to deploy the FEP client on Windows 7 Embedded machines (HP) and we're looking to confirm what support is available.
Update Rollup 1 supports WES 7 SP1 but with a major limitation if read correctly; i.e. the write filter is not enabled, I assume that means for operation and not purely for installation and signature updates? Is there any other way of managing this without disabling the write filter, i.e. through exclusions?
- The following Windows 7 Embedded operating systems are now supported
- Windows Embedded Standard 7 SP1
- Windows Embedded POSReady 7
- Windows ThinPC
The WES 7 blog states that a new WES 7 application template is available for FEP 2010 except it isn't actually listed on the 'Compatible Applications' web page, even though other major antivirus solutions are documented. Is there a template out there somewhere?
We’ve recently added 17 new applications & templates to the Compatible Applications website, expanding the scope beyond Microsoft applications to include third-party applications as well as some important anti-virus, security, and thin client applications. Below is the full list of 17 applications for which we recently released templates:
- McAfee VirusScan Enterprise 8.7i
- Microsoft Forefront Endpoint Protection 2010
2012년 3월 29일 목요일 오전 7:24중재자
Thank you for the post.
1. The write filter must be disabled to install FEP client and definition updates. It's due that FEP engine updates or definition updates are lost when devices with write filters enabled restart. The workaround way is to install Windows Embedded Device Manager 2011 on your devices.
2. It's no idea about the FEP 2010 template not listed on web page. Suggest you ask it to Windows Embedded Standard forum.
If there are more inquiries on this issue, please feel free to let us know.
TechNet Community Support
2012년 3월 29일 목요일 오후 12:49
Thanks Rick, I've posted in the Embedded forums too.
What I'm really interested in is how Windows Embedded Device Manager 2011 assists (works around) the write filter issues with FEP?
Surely this is still reliant on disabling the write filter, rebooting, applying the definition updates, committing the overlay, enabling the write filter and rebooting again? Or does it offer a means to commit changes to a write filter enabled machine without the reboots?
2012년 3월 30일 금요일 오전 2:19중재자
2012년 3월 30일 금요일 오전 8:34
I've read that and a few other articles but still don't quite see the advantages of EDM 2011 other than automation, additional collections, new task sequences and WMI support in SCCM. Actually that's quite a lot of advantages but I'm looking at the context of Forefront.
We can already semi-automatically (through task sequences) control the write filter and reboots to install software (Forefront for example).
In respect of Forefront on WES7, the following are still not clear:
- Why EDM 2011 allows Forefront to be used on WES7 with the write filter enabled? Is it purely because the semi-automatic manipulation of the write filter isn't recommended by Microsoft?
- How do people manage Forefront signature updates on WES7 given these can be updated on a 3-hourly schedule. With the write filter reboots are unavoidable (unless EDM does something clever) and to reboot a user's terminal every 3 hours isn't practical.
2012년 4월 2일 월요일 오전 1:59중재자
2012년 4월 2일 월요일 오전 8:19
Thanks, that's very much appreciated.
2012년 4월 17일 화요일 오후 11:04
Thank you for the post.
Windows Embedded Device Manager 2011 lets you seamlessly combine write filters and Forefront Endpoint Protection 2010 to help protect your devices. The write filter handling feature of Device Manager 2011 can automatically disable the write filter, run Endpoint Protection updates, and re-enable the write filter. An advertisement using the EDM_WriteFilterAdvertisementFormatter WMI class, is run in Configuration Manager 2007 as part of a task sequence to automate configuration of Windows Embedded write filters when you use Configuration Manager 2007 to install packages and software updates on Windows Embedded clients. For more information on how this is performed, see: http://technet.microsoft.com/en-gb/library/bb932175.aspx
During the software deployment process, Device Manager 2011 uses the following basic procedure. After Device Manager 2011 detects write filters, it saves configuration information. If Hibernate Once Resume Many (HORM) is used on the device, HORM is deactivated. The device displays the countdown that you set in Configuration Manager to warn users that the device is going to be updated, and then disables write filters. Device Manager 2011 restarts the device from the operating system at least once and an additional restart is performed for each drive protected by EWF in RAM Reg mode. The device is now locked and only users who have Administrator credentials can log on to the device.
Next, the task sequence restarts. If the advertisement is mandatory, the countdown that you set in Configuration Manager will restart from the beginning after the task sequence restarts, and then the software deployment will begin. Otherwise, the software deployment will begin immediately. When the software deployment is completed, Device Manager 2011 restores the write filters. If HORM was previously used on the device, Device Manager 2011 restores HORM. Device Manager 2011 restarts the device operating system. If HORM was not used in the past, the process is completed. If HORM has been restored, the device starts hibernation and will restart from the hibernation file when it is needed.
The restart (reboot) process is a requirement of the operating system, while EDM 2011 is automating only the updating of the device (disabling/enabling the write filters) via the managment of SCCM. See: http://technet.microsoft.com/en-us/library/hh535745.aspx
In my experience, most Admins will configure FEP 2010 policies to run an update check no more than 3 times daily and commonly less frequently. You can also create a custom "Performance-optimized policy" for all WES7 devices, separating them from standard desktops.
Al Knecht, MCSE 2008, MCTS Server 2008 & FCS, MCITP Server 2008, MCSA 2003, CISSP®
Microsoft Security Support Engineer
- 답변으로 표시됨 Rick TanModerator 2012년 4월 18일 수요일 오전 2:55
2012년 4월 20일 금요일 오전 10:14
That's beautifully explained, very much appreciated.
It cements the case for using EDM 2011 within our enterprise, particularly as HP bundle the client licence in with out terminals.