How to install Microsoft Forefront Client Security Antivirus on Windows Home Server 2011

Posted by Paul Braren on Oct 2 2011 (updated on Sep 24 2012) in
  • HomeServer
  • JustForefrontUIRunningOnWHS2011
    ForefrontRunningOnWHS2011

    Oct 03 2011 Update 9am eastern: It has come to my attention that my downloadable Forefront version information may be incorrect, I'm working on testing/updating that information now

    Oct 03 2011 Update 11:21am eastern: Updates to the instructions and screenshots below are now complete.  The YouTube video has now been removed by tinkererguy (me), as it's title, voiceover, and actual demonstration of me figuring this all out were accidentally misleading

    Oct 05 2011 Update 1:00am eastern: New clean video (no sound) uploaded, showing all steps including Windows Update configuration.  Documentation below updated as well

    Oct 07 2011 Update 11:54pm eastern: Joe_Miner just located a key new TechNet document, walking you through client install, and pretty much replacing all the information below:
    http://technet.microsoft.com/en-us/library/bb625083.aspx
    although both install methods seem to have the exact same end result, so it appears to not matter which install method you choose.

    Sep 24 2012 Update: unfortunate news:
    www.zdnet.com/microsoft-axes-many-of-its-forefront-enterprise-security-products-7000004166


    Microsoft Forefront Client Security runs on Windows Home Server 2011, Windows Storage Server 2008 R2 Essentials, and Windows Home Server v1, no MOM required!

    If you already have a Microsoft MSDN or TechNet (paid) subscription, you can try Microsoft Forefront Client Security on your Windows Home Server, and it seems to work well. What's the catch? There are several, but none are really show-stoppers:

    1) as always, you are responsible for following the EULA in your Microsoft TechNet or MSDN subscription.

    2) Microsoft does not list these Home Server variants in the Client Computer section of Microsoft Forefront Client Security.

    Microsoft doesn't list Home Servers among the supported OSs here, so it seems likely that you are totally unsupported.

    3) Microsoft does not list these Home Server variants in the Client Computer section of Microsoft Forefront Client Security 2010.

    Microsoft not only doesn't list Home Servers among the supported OSs here, but the installer FEPInstall.exe won't even run, so using the older version (but updating with latest signatures) might just be a dead-end or stop-gap measure, I'm not claiming this is an ideal long-term solution:

    Backstory/Rationale:

    As many have discussed, the well-regarded MSE (Microsoft Security Essentials) antivirus solution also doesn't currently install on Windows Home Server 2011:

    MSEinstallationerror

    Even if MSE does work again someday (as it did with the beta), it's only intended for up to 10 users in a small business, described here:
    windows.microsoft.com/en-us/windows/security-essentials-eula

    So it would perhaps be even less likely it'll ever be licensed and/or allowed to install on my chosen slightly beefier (25 user) version of Windows Home Server 2011, called Windows Storage Server 2008 R2 Essentials, explained at TinkerTry.com/whywss2008r2essentials.

    So, I figured it was time for me to see what AV solution I could run, today, Oct 1 2011, as I finalize my new server called vZilla. While I don't plan to surf or really expose my server to the web directly, if I can find a non-intrusive solution, I would find having it running reassuring.  Even given the offsite backups I keep, I still have a lot of eggs in this precious basket. I can also always add filters to avoid certain folders to reduce overhead.

    Unlike Microsoft Security Essentials, Forefront seems to have heuristics based scanning, although I’m not really sure how important that is.  See also Microsoft's Understanding Anti-Malware Technologies, but I can't seem to find an impartial head-to-head test, I guess time and testing will tell.

    The previously mentioned supported operating system list does include Windows Server 2008 R2, which is what WHS 2011 basically based upon. This is likely part of the reason the installer doesn't die when you go to install this 2007-vintage antivirus product,  which you quickly update once installed.  And the install itself is incredibly easy (double click the MSI, then no questions asked, literally).

    Finding the installer was another matter, but I've documented it for you here. It's buried in a client install MSI file dated from Oct 2007, deep inside the ISO file you download. It's possible some instruction manual somewhere mentions that the client can be installed with this MP_AMBITS.MSI file.  But I couldn't find references, and lost patience, figuring I'd just give it a try on a non-important system, as seen in the video below. Strangely, even microsoft sites don't seem to mention this simple file, here for example, and only after figuring it out through trial and error did I find the file mentioned over here.

    Yes, you'll need to RDP (Remote Desktop Connection) into the WHS2011 directly for many of these steps, but when done, using only Launchpad for Windows Updates intervention (normally automatic) should be just fine, with any virus's found triggering an alert at the clients, I would expect.  Hey, anybody got some viruses to test?  ;-)

    Microsoft Forefront Client Security Download/Install/Update Guide

    Step 1) Download

    login to your MSDN or TechNet, then search for "Forefront Client Security" and you'll get one result, download en_forefront_client_security_x86_x64_cd_x13-62435.iso

    Forefront-Client-Security-download

    Step 2) Extract

    you'll need to use something like UltraISO to get to one file that you need inside the 154MB ISO, or just burn a physical CD and drag and drop, here's the file path and filename: /en_forefront_client_security_x86_x64_cd_x13-62435.iso/CLIENT/X64/MP_AMBITS.MSI

    Step 3) Double click MP_AMBITS.MSI

    it'll install with no questions asked in about 5-10 seconds, and you'll see the tray icon warning you there's a newer version, ignore the URL offered (which has a link to a service pack installer that will fail) and instead just proceed to Step 4...

    Step 4) Run Windows Update

    you will be offered updates to Client Security from the Forefront GUI, ignore that, it won't work.
    Instead, run Windows Update and click the link at the "Get updates for other Microsoft products. Find out more" box and follow along with these screenshots:

    WindowsUpdateGetupdatesforotherMicrosoftproducts1
    GetupdatesforWindowsOfficeandmoreConfirm1

    (just temporarily, you'll be putting it back on the Recommended settings later, otherwise automatic downloads of everything start right away, which you don't want yet)

    GetupdatesforWindowsOfficeandmoreConfirmType
    GetupdatesforWindowsOfficeandmoreCompleted

    Now run Windows Update:
    You can now confirm it's configured correctly, notice how it says "You receive updates: For Windows and other products from Microsoft Update"

    GetupdatesforWindowsOfficeandmoreCompletedAndConfirmed

    Choose Updates, then deselect all updates, then turn on just Forefront for now:

    SelectOnlyForeClientSecurityUpdatesForNow

    B) Within a minute or two of the 2 patches getting installed by Windows Update, you'll get a green happy globe icon running in your tray, indicating all is well with Forefront.

    C) Go ahead and put Windows Update back on Automatic Updates, it'll now automatically include Forefront in it's engine/definitions downloads.

    MicrosoftForefrontClientSecurityRunningNormalAndUpdated

    That's it!  As of Oct 1 2011, in Forefront Client Security, you click on Help, About, and it should show Client Version "1.5.1993.0".

    I look forward to hearing your experiences with Microsoft Forefront Client Security, particularly under WHS 2011 (if you also decide to give it a try).

    Please leave your comments using the extremely easy to use Disqus comment system below, or head on over to the active forum thread already underway here, at one of my favorite hangouts: homeservershow.com/forums

    Finally, here's the complete video walk thru, all steps clearly demonstrated (there is no audio):

    *the original video demonstration of me figuring this all out were accidentally misleading and have been removed in favor of this above, much clearer video (which unfortunately has no audio)


    Sep 12 2012 Update:
    This seems to be the end of this story:
    arstechnica.com/information-technology/2012/09/microsoft-killing-off-most-of-its-forefront-range


    Jan 28 2013 Update:
    For Windows Server 2012 Essentials, this question has come up all over again:
    http://social.technet.microsoft.com/Forums/en-US/winserveressentials/thread/6c941000-4a43-41bb-90b4-cfb9b4d142de

    I had tried the much newer System Center Endpoint Protection, but while initial tests during the beta period looked promising, it didn't work out in the end, explained here:
    http://homeservershow.com/forums/index.php?/topic/4513-antivirus-software-for-server-2012-essentials/#entry52501

    with the error shown here:

    System-Center-2012-Endpoint-Protection-installation-error
    System Center 2012 Endpoint Protection installation error

    But it turns out Forefront Client Security continues to work with Windows Server 2012 Essentials, amazingly enough. Read details here, which basically states that the above instructions still work fine in the newer OS:
    http://homeservershow.com/forums/index.php?/topic/4513-antivirus-software-for-server-2012-essentials/page__st__20#entry52509

    Thank you Joe Miner!

    Whether using a 2006 product with this 2012 release is a good idea or not is another matter, time will tell, on my test VM I'm kicking around right now...

    ForefrontRunningOnWS2012E