SoftwareUpdateAutomation.exe Scheduled Task Fails with an 0x1 Error Message When Updating FEP 2010 Definition Package

Issue

When using the SoftwareUpdateAutomation.exe file as a scheduled task to update the Forefront Endpoint Protection definition files, the scheduled task may fail with an error code of 0x1. In the %programdata%\SoftwareUpdateAutomation.log file may see the following error:

SQLMessage = “[22018][245][Microsoft][ODBC SQL Server Driver][SQL Server]Conversion failed when converting the varchar value ‘APSB10-22’ to data type int.”;

Cause

This happens when SCUP is used to import third party updates. These updates sometimes include dashes as part of the articleID column in the database.

Solution

In the command line arguments for the SoftwareUpdateAutomation.exe scheduled task, use single quotes around the articleID. For example, use the following:

/AssignmentName <deployment name> /PackageName <deployment package> /RefreshDP /UpdateFilter “articleid=’2461484′ AND IsSuperseded=0 AND IsEnabled=1 AND IsExpired=0”

Using Your Distribution Points for FEP Definitions with the Software Update Automation Tool – Forefront Endpoint Protection 2010 Update Rollup 1

In my previous post on using your distribution points for Forefront Endpoint Protection (FEP) 2010 definition files, we had to leverage a vbscript in order to automate the download of the definition files from Microsoft via a scheduled task and then create a package that updated automatically on schedule and have a recurring advertisement. We also had to create some additional DCM configuration items and collections. This whole thing became a pretty tedious process to setup, but in the end it worked and the clients could get the definitions from their local DPs instead of the Software Update Point, WSUS server, UNC Share, or Microsoft Update. FEP 2010 Update Rollup 1 makes the process of getting the defs from your DPs a whole lot easier!

Downloading FEP 2010 Update Rollup 1

When you download FEP 2010 Update Rollup 1, you will have the option for x86 and x64 versions as well as a hotfix KB2554364 which is reporting fix that must be installed prior to installing Rollup 1. The reporting fix needs to be installed on your Reporting server. Once you have downloaded FEP 2010 Update Rollup 1 and KB2554364 for the architecture types in your environment (32 or 64 bit) you also need to download the FEP 2010 Update Rollup 1 Tools. It’s not required to download all of the tools, but for the purposes of this post, the tool that you want to download is the fepsuasetup.cab which is the Definition Update Automation Tool.

In summary download the following:

Installing FEP 2010 Update Rollup 1 on Infrastructure Servers

Installing FEP 2010 is simple, but can be slightly confusing at first.

  1. Install FEP2010-Update-KB2554364-xxx-yyy.exe on the server you installed FEP Reporting to (where xxx is the architecture type and yyy is the language; e.g. FEP2010-Update-KB2554364-x64-enu.exe )
  2. Run FEP2010-Update Rollup-KB2551095-xxx-yyy.exe (this will extract into three folders: FepExt, FepReport, FepUx)
    1. FepExt is the FEP Extension for Configuration Manager. This needs to be applied on your SCCM Site Server(s).
    2. FepReport is for FEP Reporting and needs to be installed on the server you installed FEP Reporting to.
    3. FepUx is the FEP Console Extension and will need to be installed on all SCCM Consoles that plan on managing FEP.

Once you have installed the three components, you have completed the server installation of FEP 2010.

Installing FEP 2010 Update Rollup 1 on Clients

FEP 2010 Update Rollup 1 has a client upgrade as well. By default it modifies the files in the FEP – Deployment package that it created with the initial install. Basically, there’s a new FEPInstall.exe file.

Using the “Old” Advertisement to Upgrade Your Clients

Prior to installing FEP 2010 Update Rollup 1, you likely made an advertisement to target machines to install the FEP client. If you would like to use that same advertisement, you will need to modify the program rerun behavior to Always Rerun Program.

Using a New Advertisement to Upgrade Your Clients

Chances are you likely want to use a new advertisement to upgrade your clients. I will assume that you know how to create an advertisement for your environment, however what I would like to point out is a potential collection you can target. FEP creates a collection called Out of Date which is under FEP Collections – Deployment Status. This collection leverages a custom SQL query created by FEP that identifies machines that have an old version of the FEP client. You can target this collection with the new FEP 2010 Update Rollup 1 client package to upgrade your clients, but be forewarned that this collection doesn’t limit workstations or servers, so you may want to create other collections that limit to the Out of Date collection if you want to manage your FEP client rollout better.

Configuring a Deployment Package and Deployment for FEP Definitions

In order for the software update automation tool to work, you will need a deployment and package to leverage. But before that, you’ll need to make sure you are syncing the FEP 2010 Definitions.

Syncing the FEP 2010 Definition Files

  1. From the site server that is top most Software Update Point (the one that syncs with Microsoft Update) – Expand Site Database – Site Management – Site Code – Site Settings – Component Configuration
  2. In the middle pane double click select Software Update Point Component
  3. In the Classifications tab select Definition Updates
  4. In the Products tab select Forefront Endpoint Protection 2010 (note: if this is your first time syncing with Microsoft update, you may not see Forefront Endpoint Protection in this list. After the first sync you should see a lot of additional products in this list)
  5. In the Sync schedule tab select Custom schedule and click the Customize… button
  6. For the Recurrence Pattern select Custom interval and for Recur every select 1-8 hours (set this at an interval you are comfortable with. The definitions come out three times a day, so at most set this to 8 hours, but if you are comfortable doing it more frequently, then hourly is probably fine)
  7. Click OK
  8. Click OK at the Software Update Point Component Properties dialog window

If you had to do the above steps to get the FEP 2010 Definitions to sync, you probably don’t want to wait for the sync time to start, so to kick off a manual sync, do the following:

  1. Expand Site Database – Computer Management – Software Updates – Update Repository
  2. Right Click on Update Repository
  3. Select Run Synchronization
  4. Open <ConfigMgr Install Dir>\logs\wsyncmgr.log to watch the synchronization progress

After you have sync’d the catalog, you should now be able to create a package.

Creating the Deployment Package

  1. In the ConfigMgr console expand Site Database – Computer Management – Software Updates – Update Repository – Definition Updates – Microsoft – Forefront Endpoint Protection 2010
  2. In the Forefront Endpoint Protection 2010 pane in the middle, select the latest definition file in the list (you may have more than one file in here)
  3. Right Click the update you have selected and click Download Software Updates
  4. Alternatively, you could also select Update List which will allow you to add the definition file to an update list AND download the definition to a package. It’s up to you, however in this example I will not be making an update list and will just download to a package.
  5. In the Download Updates Wizard select Create a new deployment package
  6. In the Name field, type an appropriate name
  7. In the Description field, type an appropriate description
  8. For the package source, create a shared location for the definition files to be downloaded to
  9. Click Next
  10. Click Browse in the Distribution Points wizard and select the DPs you would like to send the package to
  11. Click Next
  12. Click Next at the Data Access step
  13. Click Next at the Distribution Settings step
  14. Click Next at the Download Location step (unless you have downloaded the defs manually to a location on the local network)
  15. Select the languages you would like the updates in at the Language selection step and click Next
  16. Click Next at the Summary step
  17. The updates will download, click Close when finished

If all went well, you should now have a package flowing to the DPs you have selected. You can look at the package status node for the package, or you can watch the distmgr.log on each of the servers if you are so inclined. The next step is to create your deployment.

Creating the Deployment

So just like your package, the deployment will also just have “one” update in it (as you’ll find over time the package and deployment will grow to have many updates, but initially we will just select one update).

  1. In the ConfigMgr console expand Site Database – Computer Management – Software Updates – Update Repository – Definition Updates – Microsoft – Forefront Endpoint Protection 2010
  2. In the Forefront Endpoint Protection 2010 pane in the middle, select the latest definition file in the list (you may have more than one file in here)
  3. Right Click the update you have selected and click Download Software Updates
  4. In the name field, enter FEPDefs (you can name this something different, however I like to keep the package and deployment the same name, and with the Software Update Automation Tool, this will make things easier later, especially if the name of the package and deployment do not have spaces in the name)
  5. Click Next in the General step
  6. Click Next in the Deployment Template step
  7. In the Collection step, use a collection that makes sense for your environment. I would use a test collection here. Click Next
  8. In the Display/Time settings step, I prefer to select Suppress display notifications on clients, and Client Local Time. Leave the duration at the default of 2 weeks and click Next
  9. In the Restart Settings step, check the Servers and Workstations boxes to suppress restarts. Definitions should NEVER cause a reboot, but I do this just to be safe. Click Next
  10. Click Next in the Event Generation step
  11. In the Download Settings step, I prefer to have clients that are in slow boundaries to download software updates from a distribution point and install. I also prefer to keep the Download software updates from unprotected distribution point and install option selected. Click Next.
  12. In the Create Template step, if you would like to save the template, create a template name, otherwise uncheck the Save deployment properties as a template option and click Next.
  13. In the Deployment Schedule step, keep As soon as possible selected and set a deadline to something appropriate (I prefer to set my deadline to a few minutes ahead of the current time so my clients start to install definitions right away). You can also opt to Enable Wake on LAN and Ignore maintenance Windows and install immediately (which I would do since definitions are constantly being sent out and most maintenance windows are open once a month for most customers, however some may have a nightly window, so treat this option as something that will depend on your environment) and click Next.
  14. At the Summary step click Next
  15. Click Close when finished

If all went well, you should now have a deployment targeting a test collection. During this time, the package should have completed being copied to all the DPs as well. It’s a good idea to validate that the package is on all the DPs at this point. What we have basically done up to this point is created a package and a deployment for a single definition file. Over time, the definitions will obviously be out of date if we don’t update the package and deployment. This is where the Software Update Automation Tool will come into play. This will run a scheduled task which triggers an exe to run and update both the package and deployment for FEP AND it will cause the content to be updated on the DPs.

Configuring the Software Update Automation Tool

This step will require creating a scheduled task. I will do the steps from a Windows 2008 R2 stand point. For 2003, the steps will be different

  1. Extract the SoftwareUpdateAutomation.exe file from the fepsuasetup.cab to <ConfigMgr Installation Folder>\AdminUI\bin
  2. Open Task Scheduler (on Windows 2008 or 2008 R2 just go to Start and in the Search Field type in Task Scheduler)
  3. In the Task Scheduler window, right click
    Task Scheduler Library and select Create Task
  4. In the Create Task window, type in an appropriate name for the task
  5. Under security options in the General tab, click the Change User or Group
  6. In the Select User or Group window, under Enter the object name to select type in System and click OK
  7. Click the Triggers tab
  8. Click New…
  9. Under settings, select One Time and under Advanced Settings select Repeat task every 1 hour for duration of Indefinitely and click OK
  10. Click the Actions tab
  11. Click New
  12. For Action select Start a program
  13. Under Settings for the Program/script enter <ConfigMgr Install Dir>\AdminUI\bin\SoftwareUpdateAutomation.exe
  14. For Add arguments (optional) use /AssignmentName <deployment name> /PackageName <deployment package> /RefreshDP /UpdateFilter “articleid=2461484 AND IsSuperseded=0 AND IsEnabled=1 AND IsExpired=0” (replace <deployment name> and <deployment package> with the names of the deployment and package, for example: /AssignmentName FEPDefs /PackageName FEPDefs /RefreshDP /UpdateFilter “articleid=2461484 AND IsSuperseded=0 AND IsEnabled=1 AND IsExpired=0”) and click OK.
  15. Click OK to close and save the Scheduled Task

Updating Your Policies for Clients to Download the Definitions from Configuration Manager

With update rollup 1 installed, you’ll notice in your policies that a slight change has been made to the updates tab.

With update rollup 1 we can leverage the ability to specify Configuration Manager as the primary source for definition updates and also select the ability to check alternative sources if definitions on the client computer are older than a specific number of days. The previous options that we had with FEP 2010 RTM are now classified as alternative sources. So make sure that in your Policies that you update them to leverage Configuration Manager as the primary source for definition updates.

At this point you should now have a scheduled task that will run every hour. This will run hourly and update your package and deployment. When your client computers download policy, they will start to install the latest FEP definition files silently from their distribution points. If you have any questions about the setup of this method, please submit a comment and I’ll try to answer when I can.

Using SCCM Distribution Points for Forefront Endpoint Protection 2010 Definition Updates

THIS METHOD HAS BEEN DEPRECIATED AS OF FOREFRONT ENDPOINT PROTECTION UPDATE ROLLUP 1. PLEASE SEE FOREFRONT ENDPOINT PROTECTION 2010 UPDATE ROLLUP 1 USING YOUR DISTRIBUTION POINTS FOR FEP DEFINITIONS WITH THE SOFTWARE UPDATE AUTOMATION TOOL FOR THE NEW METHOD.

 

 

 

 

As you are probably aware by now, Forefront Endpoint Protection 2010 (FEP 2010) integrates with SCCM to provide you with one console to manage your entire environment, leveraging your SCCM infrastructure to help deploy anti-malware protection.

One of the problems we have with SCCM is the ability to leverage the Software Updates capabilities automatically. For each software update you wish to deploy, you have to add it to a deployment package as well as a deployment. This is fine for monthly security patches, however this process isn’t very good when dealing with anti-virus updates since most vendors release updates multiple times a day.

FEP doesn’t help matters much with this issue, and a lot of customers have had issues with not being able to leverage their SCCM distribution points. FEP gives you three methods to deploy definitions:

  1. WSUS
  2. Microsoft Update
  3. UNC File Share

I won’t go deep into the pros and cons of each, but suffice it to say that none of these will leverage your distribution points (unless you create UNC shares and point your clients to your DPs, which is possible with different policies, but somewhat of a pain).

Leveraging your DPs

So how can we leverage our DPs if the above three options don’t allow us to do so?

The way we accomplish this is rather simple:

  1. Have a script to download the definition files
  2. Create software distribution packages that point to the location where our definitions have been downloaded and update those on an 8 hour schedule (since FEP updates are released 3 times a day)
  3. Create collections of machines with out of date definitions (both 64bit and 32 bit) – I’ll explain this a bit more in a second
  4. Create a recurring advertisement to install the definitions

But before we do all that, we have to understand how the definition process in FEP works.

Forefront Endpoint Protection Definition Files

FEP has 4 definition files

  1. Full definition file (Base ~60MB as of this writing)
  2. Binary Delta Definition (1-15MB)
  3. Delta Definition (1-15MB)
  4. Network Inspection Service Definition File (only used on clients where NIS has been enabled)

For each of these files, there is an x86 and x64 file, so 8 total files available.

Your full definition file is generally between 40-70MB in size and will normally be installed after a new FEP Client install.

The binary delta definition file is generally 1-15MB in size and is used if your client is more than a month behind in its definition updates.

The delta definition file is generally 1-15MB in size (usually smaller than the binary delta definition file) and it installed typically on a daily basis (released 3 times a day).

More information about the definition files can be found at: http://support.microsoft.com/kb/977939

One thing to keep in mind about the definition files is that these files can be downloaded manually EXCEPT for the Binary Delta Definition files. I’m still trying to track down a link to download these files, and when I do, I’ll make sure to post an update here.

Putting This All Together

So now that we know the files we’re dealing with, let’s put this together.

First thing we need to do is setup a process to download the definition files automatically.

Create the following directories (I’m using the C: drive in this example, but you can use any of those, just make sure to modify the script I reference below)

  • “C:\FEPDefinitions\Updates\delta\amd64”
  • “C:\FEPDefinitions\Updates\delta\x86”
  • “C:\FEPDefinitions\Updates\full\amd64”
  • “C:\FEPDefinitions\Updates\full\x86”
  • “C:\FEPDefinitions\Updates\NIS\amd64”
  • “C:\FEPDefinitions\Updates\NIS\x86”
  • “C:\FEPDefinitions\script”
  1. Download the following script and save it under “C:\FEPDefinitions\script”
  2. Edit the script to download the definitions if you don’t plan on using the C:\FEPDefinitions locations

Create the Scheduled Task

  1. Go to Start – Programs – Administrative Tools – Task Scheduler
  2. In the Actions Pane on the right select Create Task…
  3. For each of the tabs, use the following screen shots (conditions and history don’t need to be modified)
    General

    Triggers

    Actions

    Settings
  4. Once the task is setup, go ahead and run it and verify that the definitions are downloading to the locations you have specified. All of the folders you created before should have definition files now.

Creating the SCCM Packages

So now that we have the content downloaded, we need SCCM to be made aware of it and download it on a schedule to our DPs. In total you will need to create 6 packages. (x86 and x64 packages for the Full and Delta definitions as well as x86 and x64 packages for the full NIS definition if you plan to use NIS). I will walk you through creating one package, you should repeat the process for the other 5 packages.

  1. In the SCCM Packages node in the SCCM Console, right click on the Packages node and  select New and then select Folder. Name it FEP Definitions.
  2. Right click the FEP Definitions folder and select New and then select Package
  3. In the new package wizard, input appropriate information for this package and click next
  4. In the data source screen, check the This package contains source files box
  5. For source directory, type in \\servername\sharename\FEPDefinitions\Updates\delta\amd64
  6. Leave Always obtain files from source directory checked
  7. Check the box to Update distribution points on a schedule
  8. Click the Schedule button
  9. For the custom schedule, select a custom interval to recur every 8 hours
    Note:
    Make this 8 hour schedule to be 15-30 minutes after the download is scheduled to run. This will allow the schedule task some time to download the definitions before SCCM tries to create a new package.
  10. Check Enable binary differential replication
  11. Click Finish

When all is said and done, your General and Data Source tabs of your package should look like this.

General


Data Source

Repeat the above steps for the other 5 packages (3 packages if you aren’t planning on pushing out NIS definitions).

Once the packages are all created, make sure to send each package to your distribution points.

Create the Programs for each Package

I’ll walk you through creating a program for the x64 delta definition (which is the same package I walked you through above).

  1. Drill to Software Distribution – Packages – FEP Definitions – Microsoft Corporation FEP Delta Definitions x64 – Programs
  2. Right click on Programs and select New – Program
  3. In the New Program Wizard, type in a name for the program
  4. For the command line, click browse, and select the mpam-d.exe file
  5. Add a -q as a command line switch, so your command line should look like mpam-d.exe -q
  6. Click Next
  7. Click Next at the Requirements screen
  8. In the Program can run drop down box, select Weather or not a user is logged on
  9. Click Next
  10. In the Advanced screen, select Suppress program notifications
  11. Click next all the way to the end of the wizard

Repeat the above steps for each package you made in the previous section.

Creating Your Collections

So now that we have created the packages to update every 8 hours (since the FEP definitions are released 3 times a day…and as a side note, no, I don’t know the time of day they are released, I have a pending question on that, so for now, just do it 3 times a day), now we need to target an advertisement to a collection, however we have an issue.

We basically have 3 definition types, we have a full update which is about 65MB in size (as of this writing) and we have a delta update which is about 3MB in size (as of this writing) as well as a NIS full definition update which is also about 3MB in size. We know that the 65MB update is for new clients as well as clients that have definition updates older than 2 months. We know that the delta definitions are for machines that have been updated with a definition within the last month. We also know there is a binary delta definition file (which we don’t have the ability to download, or at least I’m unaware of the location of the BDD file) for clients that have definitions that are at least a month old, but aren’t older than two months.

So based on all this information, we know that we don’t want our clients to download 65MB if it’s unnecessary. We only want those who are older than a month to download the full definition update (because we don’t have the BDD file we have to use this criteria, if we had the BDD file, we’d have a collection of machines with definitions older than a month but not older than two months).

In order to find the machines to target with these updates, we need to make some DCM rules. These DCM rules will allow us to populate collections dynamically based on the dates of their definition files.

Creating the Desired Configuration Management Configuration Items

What we’ll be doing here is creating 3 different configuration items

  1. Custom FEP Monitoring – Check if NIS is enabled
  2. Custom FEP Monitoring – Definitions Greater than a Month Old
  3. Custom FEP Monitoring – Definitions Up to a Month Old

Custom FEP Monitoring – Check if NIS is enabled

  1. Navigate to Desired Configuration Management – Configuration Items
  2. Right Click on Configuration Items
  3. Select New – General Configuration Item
  4. In the name field type Custom FEP Monitoring – Check if NIS is Enabled
  5. Click Next
  6. In the Objects screen, click Next
  7. In the Settings screen, click New – WQL Query
  8. For Display Name type in NisEnabled = True
  9. For Description type in Checks to see if NIS is enabled on a machine
  10. For Namespace type in Root\Microsoft\SecurityClient
  11. For Class type in AntimalwareHealthStatus
  12. For Property type in NisEnabled
  13. Click the Validation tab
  14. For Data Type select String
  15. Click New
  16. In the Configure Validation screen, for Name type in NisEnabled = True
  17. For Operator select Equals
  18. For Value select True
  19. For Severity select Information – no Windows event message
  20. Click OK
  21. Click Next all the way through the rest of the wizard

Custom FEP Monitoring – Definitions Greater than a Month Old

  1. Navigate to Desired Configuration Management – Configuration Items
  2. Right Click on Configuration Items
  3. Select New – General Configuration Item
  4. In the name field type Custom FEP Monitoring – Definitions Greater than a Month Old
  5. Click Next
  6. In the Objects screen, click Next
  7. In the Settings screen, click New – WQL Query
  8. For Display Name type in Definitions Greater than a month old
  9. For Namespace type in Root\Microsoft\SecurityClient
  10. For Class type in AntimalwareHealthStatus
  11. For Property type in AntivirusSignatureAge
  12. Click the Validation tab
  13. For Data Type select Integer
  14. Click New
  15. In the Configure Validation screen, for Name type in Antimalware Definitions Age Rule
  16. For Operator select Greater than or equal to
  17. For value type in 30
  18. For severity select Information – no windows event message
  19. Click OK
  20. Click Next all the way through the rest of the wizard

Custom FEP Monitoring – Definitions Up to a Month Old

  1. Navigate to Desired Configuration Management – Configuration Items
  2. Right Click on Configuration Items
  3. Select New – General Configuration Item
  4. In the name field type Custom FEP Monitoring – Definitions Up to a Month Old
  5. Click Next
  6. In the Objects screen, click Next
  7. In the Settings screen, click New – WQL Query
  8. For Display Name type in Definitions Up to a month old
  9. For Namespace type in Root\Microsoft\SecurityClient
  10. For Class type in AntimalwareHealthStatus
  11. For Property type in AntivirusSignatureAge
  12. Click the Validation tab
  13. For Data Type select Integer
  14. Click New
  15. In the Configure Validation screen, for Name type in Antimalware Definitions Age Rule
  16. For Operator select Less than
  17. For value type in 30
  18. For severity select Information – no windows event message
  19. Click OK
  20. Click Next all the way through the rest of the wizard

Creating the Desired Configuration Management Baseline

So now that we have created the 3 CIs, we need to create a baseline to target your machines that have succeeded in deployment of the FEP client. This baseline will allow the 3 Configuration Items to evaluate. Once these CIs have evaluated, the steps below for creating the collections will allow the collections to populate with machines that are out of date with their definitions.

  1. Navigate to Desired Configuration Management – Configuration Baselines
  2. Right Click on Configuration Baselines
  3. Select New Configuration Baseline
  4. In the name field type Custom FEP Monitoring – Definition Status
  5. Click Next
  6. In the Rules box, click the applications and general blue link. This will open a dialog box to choose Configuration Items
  7. In the Choose Configuration Items dialog box, select Custom FEP Monitoring – Check if NIS is Enabled, Custom FEP Monitoring – Definitions Greater than a Month Old, and Custom FEP Monitoring – Definitions Up to a Month Old
  8. Click OK
  9. Click Next
  10. Click Next
  11. Click Close
Now that the baseline is created, we need to assign it to one or more collections. I actually assign mine to the Out of Date and Deployment Succeeded collections, however you probably can get away with just assigning it to Deployment Succeeded. To assign the baseline to a collection:
  1. Navigate to Desired Configuration Management – Configuration Baselines
  2. Right click on Custom FEP Monitoring – Definition Status
  3. Click Assign to Collection
  4. In the Assign Configuration Baseline Wizard dialog box, click Next
  5. Click Browse
  6. In the Browse Collection dialog, navigate to FEP Collections\Deployment Status\Deployment Succeeded
  7. Click OK
  8. Click Next
  9. For the baseline evaluation schedule, you can stick with the default of 7 days, or change this to be more frequent if you desire
  10. Click Next
  11. Click Next
  12. Click Close
Now once the baseline evaluates, the collections you create in the steps below should begin to populate with machines.

Creating the Collections

So now that we have the DCM Configuration Items created, we can now create our collections leveraging the compliance of the CI and the CI Unique_ID. There are a few ways to do this, however I’ll show you the way I did it. There’s no right or wrong way, just your own way :)

For NIS Enabled Machines

  1. Navigate to Desired Configuration Management – Configuration Items
  2. Right click on Custom FEP Monitoring – Check if NIS is Enabled
  3. Select Create New Collection – Compliant Systems
  4. In the New Collection Wizard click Next
  5. In the Membership Rules screen double click on the Compliant Systems rule
  6. In the Query Rule Properties window, select Edit Query Statement
  7. In the Custom FEP Monitoring… window select Show Query Language
  8. Copy the entire query statement
  9. In the console, navigate to Computer Management – Collections – FEP Collections
  10. Right Click on FEP Collections and select New – Collection
  11. Call this collection NIS Enabled x64
  12. Click Next
  13. In the Membership Rules screen click the yellow cylinder icon to make a query based collection
  14. In the Query Rule Properties name field, type in NIS Enabled X64
  15. Click on Edit Query Statement
  16. Click on Show Query Language
  17. Paste in the query from step 8 (should be on your clip board)
  18. Click Show Query Design
  19. Click the Criteria tab
  20. There should be three lines of text in your criteria, the Configuration Item Compliance State.CIUnique_ID is equal to… as well as the compliance state is equal to one
  21. Click the Yellow Starburst icon to create a new criterion
  22. Click the Select… button
  23. For Attribute class select Computer System
  24. For Attribute select System Type
  25. Click OK
  26. For Value type in x64-based PC
  27. Click OK
  28. Select Dynamically Add New Resources
  29. Click Schedule…
  30. Set the custom schedule to update every 7 hours (this way the collections update slightly more frequently than the advertisements run since the advertisements will run every 8 hours)
  31. Click OK
  32. Click Next all the way to the end

You’ll want to repeat the above steps another 5 times for each of your different platform types (x86 or x64) as well as the different types of definitions. In the end, you should have six collections that look like the following:

Advertisements

The last thing you’ll want to do is create your advertisements to target each of the six collections. Below you can find the screen shots of what your advertisements should look like. If you’d like, I can write up the wizard steps by step items. The key step here is to make sure that the advertisements are set to always re-run.

General

Schedule

Distribution Points

In total, you should have six advertisements. 2 for the full definitions, 2 for the deltas, and 2 for the NIS definitions.

And with that, you should now be able to have your clients download their FEP definitions from their distribution points. There’s a lot of overhead in setting this all up, but once done, you shouldn’t really have to ever touch the process.

I understand that setting things up this way is a pain. In SCCM 2012 this should get better with the auto approval of updates, but in SCCM 2007 land, there really isn’t a better way without making your DPs Software Update Points and having WSUS installed on all of them (not ideal).

If you have any questions, please let me know. Also, if things don’t look right or I missed something, again, let me know. Thanks!