Using SCCM Distribution Points for Forefront Endpoint Protection 2010 Definition Updates

THIS METHOD HAS BEEN DEPRECIATED AS OF FOREFRONT ENDPOINT PROTECTION UPDATE ROLLUP 1. PLEASE SEE FOREFRONT ENDPOINT PROTECTION 2010 UPDATE ROLLUP 1 USING YOUR DISTRIBUTION POINTS FOR FEP DEFINITIONS WITH THE SOFTWARE UPDATE AUTOMATION TOOL FOR THE NEW METHOD.

As you are probably aware by now, Forefront Endpoint Protection 2010 (FEP 2010) integrates with SCCM to provide you with one console to manage your entire environment, leveraging your SCCM infrastructure to help deploy anti-malware protection.

One of the problems we have with SCCM is the ability to leverage the Software Updates capabilities automatically. For each software update you wish to deploy, you have to add it to a deployment package as well as a deployment. This is fine for monthly security patches, however this process isn't very good when dealing with anti-virus updates since most vendors release updates multiple times a day.

FEP doesn't help matters much with this issue, and a lot of customers have had issues with not being able to leverage their SCCM distribution points. FEP gives you three methods to deploy definitions:

1. WSUS
2. Microsoft Update
3. UNC File Share

I won't go deep into the pros and cons of each, but suffice it to say that none of these will leverage your distribution points (unless you create UNC shares and point your clients to your DPs, which is possible with different policies, but somewhat of a pain).

Leveraging your DPs

So how can we leverage our DPs if the above three options don't allow us to do so?

The way we accomplish this is rather simple:

1. Have a script to download the definition files
2. Create software distribution packages that point to the location where our definitions have been downloaded and update those on an 8 hour schedule (since FEP updates are released 3 times a day)
3. Create collections of machines with out of date definitions (both 64bit and 32 bit) - I'll explain this a bit more in a second
4. Create a recurring advertisement to install the definitions

But before we do all that, we have to understand how the definition process in FEP works.

Forefront Endpoint Protection Definition Files

FEP has 4 definition files

1. Full definition file (Base ~60MB as of this writing)
2. Binary Delta Definition (1-15MB)
3. Delta Definition (1-15MB)
4. Network Inspection Service Definition File (only used on clients where NIS has been enabled)

For each of these files, there is an x86 and x64 file, so 8 total files available.

Your full definition file is generally between 40-70MB in size and will normally be installed after a new FEP Client install.

The binary delta definition file is generally 1-15MB in size and is used if your client is more than a month behind in its definition updates.

The delta definition file is generally 1-15MB in size (usually smaller than the binary delta definition file) and it installed typically on a daily basis (released 3 times a day).

More information about the definition files can be found at: http://support.microsoft.com/kb/977939

One thing to keep in mind about the definition files is that these files can be downloaded manually EXCEPT for the Binary Delta Definition files. I'm still trying to track down a link to download these files, and when I do, I'll make sure to post an update here.

Putting This All Together

So now that we know the files we're dealing with, let's put this together.

First thing we need to do is setup a process to download the definition files automatically.

Create the following directories (I'm using the C: drive in this example, but you can use any of those, just make sure to modify the script I reference below)

• "C:\FEPDefinitions\Updates\delta\amd64"
• "C:\FEPDefinitions\Updates\delta\x86"
• "C:\FEPDefinitions\Updates\full\amd64"
• "C:\FEPDefinitions\Updates\full\x86"
• "C:\FEPDefinitions\Updates\NIS\amd64"
• "C:\FEPDefinitions\Updates\NIS\x86"
• "C:\FEPDefinitions\script"

1. Download the following script and save it under "C:\FEPDefinitions\script"
2. Edit the script to download the definitions if you don't plan on using the C:\FEPDefinitions locations

Create the Scheduled Task

1. Go to Start - Programs - Administrative Tools - Task Scheduler
2. In the Actions Pane on the right select Create Task...
3. For each of the tabs, use the following screen shots (conditions and history don't need to be modified)
   General
   
   Triggers
   
   Actions
   
   Settings
   
4. Once the task is setup, go ahead and run it and verify that the definitions are downloading to the locations you have specified. All of the folders you created before should have definition files now.

Creating the SCCM Packages

So now that we have the content downloaded, we need SCCM to be made aware of it and download it on a schedule to our DPs. In total you will need to create 6 packages. (x86 and x64 packages for the Full and Delta definitions as well as x86 and x64 packages for the full NIS definition if you plan to use NIS). I will walk you through creating one package, you should repeat the process for the other 5 packages.

1. In the SCCM Packages node in the SCCM Console, right click on the Packages node and  select New and then select Folder. Name it FEP Definitions.
2. Right click the FEP Definitions folder and select New and then select Package
3. In the new package wizard, input appropriate information for this package and click next
4. In the data source screen, check the This package contains source files box
5. For source directory, type in \\servername\sharename\FEPDefinitions\Updates\delta\amd64
6. Leave Always obtain files from source directory checked
7. Check the box to Update distribution points on a schedule
8. Click the Schedule button
9. For the custom schedule, select a custom interval to recur every 8 hours
   Note: Make this 8 hour schedule to be 15-30 minutes after the download is scheduled to run. This will allow the schedule task some time to download the definitions before SCCM tries to create a new package.
10. Check Enable binary differential replication
11. Click Finish

When all is said and done, your General and Data Source tabs of your package should look like this.

General

Data Source

Repeat the above steps for the other 5 packages (3 packages if you aren't planning on pushing out NIS definitions).

Once the packages are all created, make sure to send each package to your distribution points.

Create the Programs for each Package

I'll walk you through creating a program for the x64 delta definition (which is the same package I walked you through above).

1. Drill to Software Distribution - Packages - FEP Definitions - Microsoft Corporation FEP Delta Definitions x64 - Programs
2. Right click on Programs and select New - Program
3. In the New Program Wizard, type in a name for the program
4. For the command line, click browse, and select the mpam-d.exe file
5. Add a -q as a command line switch, so your command line should look like mpam-d.exe -q
6. Click Next
7. Click Next at the Requirements screen
8. In the Program can run drop down box, select Weather or not a user is logged on
9. Click Next
10. In the Advanced screen, select Suppress program notifications
11. Click next all the way to the end of the wizard

Repeat the above steps for each package you made in the previous section.

Creating Your Collections

So now that we have created the packages to update every 8 hours (since the FEP definitions are released 3 times a day...and as a side note, no, I don't know the time of day they are released, I have a pending question on that, so for now, just do it 3 times a day), now we need to target an advertisement to a collection, however we have an issue.

We basically have 3 definition types, we have a full update which is about 65MB in size (as of this writing) and we have a delta update which is about 3MB in size (as of this writing) as well as a NIS full definition update which is also about 3MB in size. We know that the 65MB update is for new clients as well as clients that have definition updates older than 2 months. We know that the delta definitions are for machines that have been updated with a definition within the last month. We also know there is a binary delta definition file (which we don't have the ability to download, or at least I'm unaware of the location of the BDD file) for clients that have definitions that are at least a month old, but aren't older than two months.

So based on all this information, we know that we don't want our clients to download 65MB if it's unnecessary. We only want those who are older than a month to download the full definition update (because we don't have the BDD file we have to use this criteria, if we had the BDD file, we'd have a collection of machines with definitions older than a month but not older than two months).

In order to find the machines to target with these updates, we need to make some DCM rules. These DCM rules will allow us to populate collections dynamically based on the dates of their definition files.

Creating the Desired Configuration Management Configuration Items

What we'll be doing here is creating 3 different configuration items

1. Custom FEP Monitoring - Check if NIS is enabled
2. Custom FEP Monitoring - Definitions Greater than a Month Old
3. Custom FEP Monitoring - Definitions Up to a Month Old

Custom FEP Monitoring - Check if NIS is enabled

1. Navigate to Desired Configuration Management - Configuration Items
2. Right Click on Configuration Items
3. Select New - General Configuration Item
4. In the name field type Custom FEP Monitoring - Check if NIS is Enabled
5. Click Next
6. In the Objects screen, click Next
7. In the Settings screen, click New - WQL Query
8. For Display Name type in NisEnabled = True
9. For Description type in Checks to see if NIS is enabled on a machine
10. For Namespace type in Root\Microsoft\SecurityClient
11. For Class type in AntimalwareHealthStatus
12. For Property type in NisEnabled
13. Click the Validation tab
14. For Data Type select String
15. Click New
16. In the Configure Validation screen, for Name type in NisEnabled = True
17. For Operator select Equals
18. For Value select True
19. For Severity select Information - no Windows event message
20. Click OK
21. Click Next all the way through the rest of the wizard

Custom FEP Monitoring - Definitions Greater than a Month Old

1. Navigate to Desired Configuration Management - Configuration Items
2. Right Click on Configuration Items
3. Select New - General Configuration Item
4. In the name field type Custom FEP Monitoring - Definitions Greater than a Month Old
5. Click Next
6. In the Objects screen, click Next
7. In the Settings screen, click New - WQL Query
8. For Display Name type in Definitions Greater than a month old
9. For Namespace type in Root\Microsoft\SecurityClient
10. For Class type in AntimalwareHealthStatus
11. For Property type in AntivirusSignatureAge
12. Click the Validation tab
13. For Data Type select Integer
14. Click New
15. In the Configure Validation screen, for Name type in Antimalware Definitions Age Rule
16. For Operator select Greater than or equal to
17. For value type in 30
18. For severity select Information - no windows event message
19. Click OK
20. Click Next all the way through the rest of the wizard

Custom FEP Monitoring - Definitions Up to a Month Old

1. Navigate to Desired Configuration Management - Configuration Items
2. Right Click on Configuration Items
3. Select New - General Configuration Item
4. In the name field type Custom FEP Monitoring - Definitions Up to a Month Old
5. Click Next
6. In the Objects screen, click Next
7. In the Settings screen, click New - WQL Query
8. For Display Name type in Definitions Up to a month old
9. For Namespace type in Root\Microsoft\SecurityClient
10. For Class type in AntimalwareHealthStatus
11. For Property type in AntivirusSignatureAge
12. Click the Validation tab
13. For Data Type select Integer
14. Click New
15. In the Configure Validation screen, for Name type in Antimalware Definitions Age Rule
16. For Operator select Less than
17. For value type in 30
18. For severity select Information - no windows event message
19. Click OK
20. Click Next all the way through the rest of the wizard

Creating the Desired Configuration Management Baseline

So now that we have created the 3 CIs, we need to create a baseline to target your machines that have succeeded in deployment of the FEP client. This baseline will allow the 3 Configuration Items to evaluate. Once these CIs have evaluated, the steps below for creating the collections will allow the collections to populate with machines that are out of date with their definitions.

1. Navigate to Desired Configuration Management - Configuration Baselines
2. Right Click on Configuration Baselines
3. Select New Configuration Baseline
4. In the name field type Custom FEP Monitoring - Definition Status
5. Click Next
6. In the Rules box, click the applications and general blue link. This will open a dialog box to choose Configuration Items
7. In the Choose Configuration Items dialog box, select Custom FEP Monitoring - Check if NIS is Enabled, Custom FEP Monitoring - Definitions Greater than a Month Old, and Custom FEP Monitoring - Definitions Up to a Month Old
8. Click OK
9. Click Next
10. Click Next
11. Click Close

Creating the Collections

So now that we have the DCM Configuration Items created, we can now create our collections leveraging the compliance of the CI and the CI Unique_ID. There are a few ways to do this, however I'll show you the way I did it. There's no right or wrong way, just your own way :)

For NIS Enabled Machines

1. Navigate to Desired Configuration Management - Configuration Items
2. Right click on Custom FEP Monitoring - Check if NIS is Enabled
3. Select Create New Collection - Compliant Systems
4. In the New Collection Wizard click Next
5. In the Membership Rules screen double click on the Compliant Systems rule
6. In the Query Rule Properties window, select Edit Query Statement
7. In the Custom FEP Monitoring... window select Show Query Language
8. Copy the entire query statement
9. In the console, navigate to Computer Management - Collections - FEP Collections
10. Right Click on FEP Collections and select New - Collection
11. Call this collection NIS Enabled x64
12. Click Next
13. In the Membership Rules screen click the yellow cylinder icon to make a query based collection
14. In the Query Rule Properties name field, type in NIS Enabled X64
15. Click on Edit Query Statement
16. Click on Show Query Language
17. Paste in the query from step 8 (should be on your clip board)
18. Click Show Query Design
19. Click the Criteria tab
20. There should be three lines of text in your criteria, the Configuration Item Compliance State.CIUnique_ID is equal to... as well as the compliance state is equal to one
21. Click the Yellow Starburst icon to create a new criterion
22. Click the Select... button
23. For Attribute class select Computer System
24. For Attribute select System Type
25. Click OK
26. For Value type in x64-based PC
27. Click OK
28. Select Dynamically Add New Resources
29. Click Schedule...
30. Set the custom schedule to update every 7 hours (this way the collections update slightly more frequently than the advertisements run since the advertisements will run every 8 hours)
31. Click OK
32. Click Next all the way to the end

You'll want to repeat the above steps another 5 times for each of your different platform types (x86 or x64) as well as the different types of definitions. In the end, you should have six collections that look like the following:

Advertisements

The last thing you'll want to do is create your advertisements to target each of the six collections. Below you can find the screen shots of what your advertisements should look like. If you'd like, I can write up the wizard steps by step items. The key step here is to make sure that the advertisements are set to always re-run.

General

Schedule

Distribution Points

In total, you should have six advertisements. 2 for the full definitions, 2 for the deltas, and 2 for the NIS definitions.

And with that, you should now be able to have your clients download their FEP definitions from their distribution points. There's a lot of overhead in setting this all up, but once done, you shouldn't really have to ever touch the process.

I understand that setting things up this way is a pain. In SCCM 2012 this should get better with the auto approval of updates, but in SCCM 2007 land, there really isn't a better way without making your DPs Software Update Points and having WSUS installed on all of them (not ideal).

If you have any questions, please let me know. Also, if things don't look right or I missed something, again, let me know. Thanks!