When using the SoftwareUpdateAutomation.exe file as a scheduled task to update the Forefront Endpoint Protection definition files, the scheduled task may fail with an error code of 0x1. In the %programdata%\SoftwareUpdateAutomation.log file may see the following error:

SQLMessage = "[22018][245][Microsoft][ODBC SQL Server Driver][SQL Server]Conversion failed when converting the varchar value 'APSB10-22' to data type int.";

Cause

This happens when SCUP is used to import third party updates. These updates sometimes include dashes as part of the articleID column in the database.

Solution

In the command line arguments for the SoftwareUpdateAutomation.exe scheduled task, use single quotes around the articleID. For example, use the following:

/AssignmentName <deployment name> /PackageName <deployment package> /RefreshDP /UpdateFilter "articleid='2461484' AND IsSuperseded=0 AND IsEnabled=1 AND IsExpired=0"

There is a way to handle the compression and exclude WIM files, as well as any other extension you want to exclude. This can save you a good amount of time. In my customer's case this week, we noticed that distribution manager took 5 minutes to complete "compression" instead of 30 minutes that it previously took.

I mention "compression" (in quotes) because while distmgr.log will show the file being compressed, if you look at the file size, it's actually slightly bigger (in some cases) than the original WIM file.

For example, look at this screen shot of my distmgr.log where I send an x86 boot WIM that distmgr compresses

Notice the first line where it says the size of the package is 129544 KBytes and the compressed size at the bottom is 129068 KBytes. Not very much space gained here, but look at the amount of time it took to compress roughly 130MB. It took 2 minutes.

Let's take a look at the same package with compression off for WIM files:

Notice here how the same package content is still "compressed", but the content is actually BIGGER, yet the amount of time is a minute less (or 50% in reduction of time to "compress"). It's bigger, likely because there is some additional information that gets added to the package as it is getting moved to a .pck file. The package will always convert from a .wim to .pck, however the compression engine simply isn't involved.

In order to exclude WIM files from compression you need to edit the following location in the registry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\Compression\DontCompressExts on 32 bit servers

Or

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\SMS\Compression\DontCompressExts on 64 bit servers

In this list, you will see:

.cab;.zip;.arj;.rar;.jpg;.jpeg;.wma;.wmv;.mpg;.mpeg;.mov

Simply add

.cab;.zip;.arj;.rar;.jpg;.jpeg;.wma;.wmv;.mpg;.mpeg;.mov;.wim

• PPTP and L2TP VPN support
• CSFR improved web security
• Change WEB UI 4G icon change
• RSSI indicator change
• Extended default IP range
• Resolves Wi-Fi disconnect / interference issue
• Device configuration script

If you haven't been to the Building Windows 8 Blog yet, I highly recommend bookmarking it as the Windows 8 team has been updating it frequently.

Today's post comes from Alex Simons and takes a brief look at the history of Windows Explorer (going back to MS-DOS Executive in Windows 1.0) and a very interesting look at the telemetry data (the data we use when we ask you to opt into the Customer Improvement Experience Program for many of our products) from our users to see how they are using the product and how we can make the products better.

Goals of the new Windows Explorer

We set out to accomplish three main goals with this new version of Explorer.

1. Optimize Explorer for file management tasks. Return Explorer to its roots as an efficient file manager and expose some hidden gems, those file management commands already in Explorer that many customers might not even know exist.
   
2. Create a streamlined command experience. Put the most used commands in the most prominent parts of the UI so they are easy to find, in places that make sense and are reliable. Organize the commands in predictable places and logical groupings according to context, and present relevant information right where you need it.
   
3. Respect Explorer's heritage. Maintain the power and richness of Explorer and bring back the most relevant and requested features from the Windows XP era when the current architecture and security model of Windows permits.
   

Read more at Improvements in Windows Explorer

Downloading FEP 2010 Update Rollup 1

When you download FEP 2010 Update Rollup 1, you will have the option for x86 and x64 versions as well as a hotfix KB2554364 which is reporting fix that must be installed prior to installing Rollup 1. The reporting fix needs to be installed on your Reporting server. Once you have downloaded FEP 2010 Update Rollup 1 and KB2554364 for the architecture types in your environment (32 or 64 bit) you also need to download the FEP 2010 Update Rollup 1 Tools. It's not required to download all of the tools, but for the purposes of this post, the tool that you want to download is the fepsuasetup.cab which is the Definition Update Automation Tool.

In summary download the following:

• FEP 2010 Update Rollup 1 (you should download two files, Update Rollup 1 as well as KB2554364 for your architecture type)
• Definition Update Automation Tool
  

Installing FEP 2010 Update Rollup 1 on Infrastructure Servers

Installing FEP 2010 is simple, but can be slightly confusing at first.

1. Install FEP2010-Update-KB2554364-xxx-yyy.exe on the server you installed FEP Reporting to (where xxx is the architecture type and yyy is the language; e.g. FEP2010-Update-KB2554364-x64-enu.exe )
2. Run FEP2010-Update Rollup-KB2551095-xxx-yyy.exe (this will extract into three folders: FepExt, FepReport, FepUx)
   1. FepExt is the FEP Extension for Configuration Manager. This needs to be applied on your SCCM Site Server(s).
   2. FepReport is for FEP Reporting and needs to be installed on the server you installed FEP Reporting to.
   3. FepUx is the FEP Console Extension and will need to be installed on all SCCM Consoles that plan on managing FEP.

Once you have installed the three components, you have completed the server installation of FEP 2010.

Installing FEP 2010 Update Rollup 1 on Clients

FEP 2010 Update Rollup 1 has a client upgrade as well. By default it modifies the files in the FEP - Deployment package that it created with the initial install. Basically, there's a new FEPInstall.exe file.

Using the "Old" Advertisement to Upgrade Your Clients

Prior to installing FEP 2010 Update Rollup 1, you likely made an advertisement to target machines to install the FEP client. If you would like to use that same advertisement, you will need to modify the program rerun behavior to Always Rerun Program.

Using a New Advertisement to Upgrade Your Clients

Chances are you likely want to use a new advertisement to upgrade your clients. I will assume that you know how to create an advertisement for your environment, however what I would like to point out is a potential collection you can target. FEP creates a collection called Out of Date which is under FEP Collections – Deployment Status. This collection leverages a custom SQL query created by FEP that identifies machines that have an old version of the FEP client. You can target this collection with the new FEP 2010 Update Rollup 1 client package to upgrade your clients, but be forewarned that this collection doesn't limit workstations or servers, so you may want to create other collections that limit to the Out of Date collection if you want to manage your FEP client rollout better.

Configuring a Deployment Package and Deployment for FEP Definitions

In order for the software update automation tool to work, you will need a deployment and package to leverage. But before that, you'll need to make sure you are syncing the FEP 2010 Definitions.

Syncing the FEP 2010 Definition Files

1. From the site server that is top most Software Update Point (the one that syncs with Microsoft Update) – Expand Site Database – Site Management – Site Code – Site Settings – Component Configuration
2. In the middle pane double click select Software Update Point Component
3. In the Classifications tab select Definition Updates
4. In the Products tab select Forefront Endpoint Protection 2010 (note: if this is your first time syncing with Microsoft update, you may not see Forefront Endpoint Protection in this list. After the first sync you should see a lot of additional products in this list)
5. In the Sync schedule tab select Custom schedule and click the Customize… button
6. For the Recurrence Pattern select Custom interval and for Recur every select 1-8 hours (set this at an interval you are comfortable with. The definitions come out three times a day, so at most set this to 8 hours, but if you are comfortable doing it more frequently, then hourly is probably fine)
7. Click OK
8. Click OK at the Software Update Point Component Properties dialog window

If you had to do the above steps to get the FEP 2010 Definitions to sync, you probably don't want to wait for the sync time to start, so to kick off a manual sync, do the following:

1. Expand Site Database – Computer Management – Software Updates – Update Repository
2. Right Click on Update Repository
3. Select Run Synchronization
4. Open <ConfigMgr Install Dir>\logs\wsyncmgr.log to watch the synchronization progress

After you have sync'd the catalog, you should now be able to create a package.

Creating the Deployment Package

1. In the ConfigMgr console expand Site Database – Computer Management – Software Updates – Update Repository – Definition Updates – Microsoft – Forefront Endpoint Protection 2010
2. In the Forefront Endpoint Protection 2010 pane in the middle, select the latest definition file in the list (you may have more than one file in here)
3. Right Click the update you have selected and click Download Software Updates
4. Alternatively, you could also select Update List which will allow you to add the definition file to an update list AND download the definition to a package. It's up to you, however in this example I will not be making an update list and will just download to a package.
5. In the Download Updates Wizard select Create a new deployment package
6. In the Name field, type an appropriate name
7. In the Description field, type an appropriate description
8. For the package source, create a shared location for the definition files to be downloaded to
9. Click Next
10. Click Browse in the Distribution Points wizard and select the DPs you would like to send the package to
11. Click Next
12. Click Next at the Data Access step
13. Click Next at the Distribution Settings step
14. Click Next at the Download Location step (unless you have downloaded the defs manually to a location on the local network)
15. Select the languages you would like the updates in at the Language selection step and click Next
16. Click Next at the Summary step
17. The updates will download, click Close when finished

If all went well, you should now have a package flowing to the DPs you have selected. You can look at the package status node for the package, or you can watch the distmgr.log on each of the servers if you are so inclined. The next step is to create your deployment.

Creating the Deployment

So just like your package, the deployment will also just have "one" update in it (as you'll find over time the package and deployment will grow to have many updates, but initially we will just select one update).

1. In the ConfigMgr console expand Site Database – Computer Management – Software Updates – Update Repository – Definition Updates – Microsoft – Forefront Endpoint Protection 2010
2. In the Forefront Endpoint Protection 2010 pane in the middle, select the latest definition file in the list (you may have more than one file in here)
3. Right Click the update you have selected and click Download Software Updates
4. In the name field, enter FEPDefs (you can name this something different, however I like to keep the package and deployment the same name, and with the Software Update Automation Tool, this will make things easier later, especially if the name of the package and deployment do not have spaces in the name)
5. Click Next in the General step
6. Click Next in the Deployment Template step
7. In the Collection step, use a collection that makes sense for your environment. I would use a test collection here. Click Next
8. In the Display/Time settings step, I prefer to select Suppress display notifications on clients, and Client Local Time. Leave the duration at the default of 2 weeks and click Next
   
9. In the Restart Settings step, check the Servers and Workstations boxes to suppress restarts. Definitions should NEVER cause a reboot, but I do this just to be safe. Click Next
   
10. Click Next in the Event Generation step
11. In the Download Settings step, I prefer to have clients that are in slow boundaries to download software updates from a distribution point and install. I also prefer to keep the Download software updates from unprotected distribution point and install option selected. Click Next.
    
12. In the Create Template step, if you would like to save the template, create a template name, otherwise uncheck the Save deployment properties as a template option and click Next.
13. In the Deployment Schedule step, keep As soon as possible selected and set a deadline to something appropriate (I prefer to set my deadline to a few minutes ahead of the current time so my clients start to install definitions right away). You can also opt to Enable Wake on LAN and Ignore maintenance Windows and install immediately (which I would do since definitions are constantly being sent out and most maintenance windows are open once a month for most customers, however some may have a nightly window, so treat this option as something that will depend on your environment) and click Next.
14. At the Summary step click Next
15. Click Close when finished

If all went well, you should now have a deployment targeting a test collection. During this time, the package should have completed being copied to all the DPs as well. It's a good idea to validate that the package is on all the DPs at this point. What we have basically done up to this point is created a package and a deployment for a single definition file. Over time, the definitions will obviously be out of date if we don't update the package and deployment. This is where the Software Update Automation Tool will come into play. This will run a scheduled task which triggers an exe to run and update both the package and deployment for FEP AND it will cause the content to be updated on the DPs.

Configuring the Software Update Automation Tool

This step will require creating a scheduled task. I will do the steps from a Windows 2008 R2 stand point. For 2003, the steps will be different

1. Extract the SoftwareUpdateAutomation.exe file from the fepsuasetup.cab to <ConfigMgr Installation Folder>\AdminUI\bin
2. Open Task Scheduler (on Windows 2008 or 2008 R2 just go to Start and in the Search Field type in Task Scheduler)
3. In the Task Scheduler window, right click
   Task Scheduler Library and select Create Task
4. In the Create Task window, type in an appropriate name for the task
5. Under security options in the General tab, click the Change User or Group
6. In the Select User or Group window, under Enter the object name to select type in System and click OK
7. Click the Triggers tab
8. Click New…
9. Under settings, select One Time and under Advanced Settings select Repeat task every 1 hour for duration of Indefinitely and click OK
10. Click the Actions tab
11. Click New…
12. For Action select Start a program
13. Under Settings for the Program/script enter <ConfigMgr Install Dir>\AdminUI\bin\SoftwareUpdateAutomation.exe
14. For Add arguments (optional) use /AssignmentName <deployment name> /PackageName <deployment package> /RefreshDP /UpdateFilter "articleid=2461484 AND IsSuperseded=0 AND IsEnabled=1 AND IsExpired=0" (replace <deployment name> and <deployment package> with the names of the deployment and package, for example: /AssignmentName FEPDefs /PackageName FEPDefs /RefreshDP /UpdateFilter "articleid=2461484 AND IsSuperseded=0 AND IsEnabled=1 AND IsExpired=0") and click OK.
15. Click OK to close and save the Scheduled Task

Updating Your Policies for Clients to Download the Definitions from Configuration Manager

With update rollup 1 installed, you'll notice in your policies that a slight change has been made to the updates tab.

With update rollup 1 we can leverage the ability to specify Configuration Manager as the primary source for definition updates and also select the ability to check alternative sources if definitions on the client computer are older than a specific number of days. The previous options that we had with FEP 2010 RTM are now classified as alternative sources. So make sure that in your Policies that you update them to leverage Configuration Manager as the primary source for definition updates.

At this point you should now have a scheduled task that will run every hour. This will run hourly and update your package and deployment. When your client computers download policy, they will start to install the latest FEP definition files silently from their distribution points. If you have any questions about the setup of this method, please submit a comment and I'll try to answer when I can.

Sometime in September, the ConfigMgr Client Health and Remediation Service offered by the Premier Field Engineering (PFE) group (the group I am apart of at Microsoft) will be made available to all Premier customers. This offering will have an engineer come on site and install our client health solution and offer training on how to utilize it. We will then setup a separate engagement a couple of weeks later to work on remediation (this will allow time for the clients to report back their health state).

If you've ever had a CMRAP done on your environment, this is an excellent complement to that offering as the RAP will look at the risk and health of the server environment, however it won't go into detail about the health of your clients. There's no requirement that a RAP be done on your environment to leverage our Client Health and Remediation Service, however to get a good idea how things are going, doing both is highly recommended.

If you're interested in having a Microsoft PFE come on site to look at the health of your SCCM clients, please leave a comment on this post, or send me an email at richbal a.t. Microsoft.com. You can also work with your Technical Account Manager (TAM), however since this offering is relatively new, they may or may not be aware of it.

For more information on the offering, please see Chris Sugdinis' blog post.

User Account Control Remote Restrictions

Starting with Vista, User Account Control introduced some remote restrictions of administrative accounts. You can click the previous link if you want to read up on it. Suffice it to say, to disable these remote UAC restrictions of accounts that are in the local administrators group, do the following:

1. Click Start, click Run, type regedit, and then press ENTER.
2. Locate and then click the following registry subkey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
3. If the LocalAccountTokenFilterPolicy registry entry does not exist, follow these steps:
   1. On the Edit menu, point to New, and then click DWORD Value.
   2. Type LocalAccountTokenFilterPolicy, and then press ENTER.
4. Right-click LocalAccountTokenFilterPolicy, and then click Modify.
5. In the Value data box, type 1, and then click OK.
6. Exit Registry Editor.

So in short, make sure you have the slipstreamed SCCM 2007 w/SP2 media instead of upgrade media to prevent this bone-headed move :)

One thing I like to use is PSExec from Sysinternals. In the past with OSes prior to Windows Vista, we could use the AT scheduler from the command line to create an interactive command prompt using the system account. This trick was removed in Vista and we were left with using Psexec.

1. Download PSExec from http://technet.microsoft.com/en-us/sysinternals/bb897553 or alternatively, you can use http://live.sysinternals.com/psexec.exe (some web filtering software will not allow an exe to be downloaded in this manner, so the first link might be better).
2. Once downloaded, navigate to the location of psexec via command line.
3. From the command line enter psexec -si cmd.exe (this opens a new command prompt as the system context that's interactive)
4. A new command line should open up. In the new command line type in whoami. You should see the credential as nt authority\system.
5. Test whatever software package you want to install via command line (this will end up being the command line you use in your package program)

The fix was http://support.microsoft.com/kb/2526870 which fixes a group policy deadlock condition.