The FEP dashboard located on the SCCM console has a wealth of information. It provides FEP admins with a snapshot of the overall health of your FEP deployment and various statistics including recent malware activity, definition status, and even when FEP has been disabled on an endpoint.
The dashboard information is based on a series of FEP collections automatically created when you deploy the FEP server roles. The collections are named based on the purposes they serve. For example, the FEP collection, “Recent Malware Activity,” will display all of the clients that have FEP installed and have reported malware activity in the last 24 hours. The collection membership rules for FEP are complex and since the FEP dashboard relies on this information, the collections are locked and the membership rules cannot be modified. You cannot even view the query from the SCCM console. However, where there is a will, there is a way.
In order to see the actual FEP collection membership queries, you need to open the SQL management studio and run the following SQL query on the SCCM database:
SELECT Collection_Rules.CollectionID, Collections.CollectionName, Collection_Rules_SQL.SQL, Collection_Rules_SQL.WQL
FROM Collection_Rules INNER JOIN
Collection_Rules_SQL ON Collection_Rules.CollectionID = Collection_Rules_SQL.CollectionID INNER JOIN
Collections ON Collection_Rules.CollectionID = Collections.CollectionID
This will display all of the membership rules for each FEP collection (as well as all of your collections).
If you do not have access to the SCCM database, you can just download this excel spreadsheet that has the FEP membership queries already.