Using SCCM Distribution Points for Forefront Endpoint Protection 2010 Definition Updates

THIS METHOD HAS BEEN DEPRECIATED AS OF FOREFRONT ENDPOINT PROTECTION UPDATE ROLLUP 1. PLEASE SEE FOREFRONT ENDPOINT PROTECTION 2010 UPDATE ROLLUP 1 USING YOUR DISTRIBUTION POINTS FOR FEP DEFINITIONS WITH THE SOFTWARE UPDATE AUTOMATION TOOL FOR THE NEW METHOD.

 

 

 

 

As you are probably aware by now, Forefront Endpoint Protection 2010 (FEP 2010) integrates with SCCM to provide you with one console to manage your entire environment, leveraging your SCCM infrastructure to help deploy anti-malware protection.

One of the problems we have with SCCM is the ability to leverage the Software Updates capabilities automatically. For each software update you wish to deploy, you have to add it to a deployment package as well as a deployment. This is fine for monthly security patches, however this process isn’t very good when dealing with anti-virus updates since most vendors release updates multiple times a day.

FEP doesn’t help matters much with this issue, and a lot of customers have had issues with not being able to leverage their SCCM distribution points. FEP gives you three methods to deploy definitions:

  1. WSUS
  2. Microsoft Update
  3. UNC File Share

I won’t go deep into the pros and cons of each, but suffice it to say that none of these will leverage your distribution points (unless you create UNC shares and point your clients to your DPs, which is possible with different policies, but somewhat of a pain).

Leveraging your DPs

So how can we leverage our DPs if the above three options don’t allow us to do so?

The way we accomplish this is rather simple:

  1. Have a script to download the definition files
  2. Create software distribution packages that point to the location where our definitions have been downloaded and update those on an 8 hour schedule (since FEP updates are released 3 times a day)
  3. Create collections of machines with out of date definitions (both 64bit and 32 bit) – I’ll explain this a bit more in a second
  4. Create a recurring advertisement to install the definitions

But before we do all that, we have to understand how the definition process in FEP works.

Forefront Endpoint Protection Definition Files

FEP has 4 definition files

  1. Full definition file (Base ~60MB as of this writing)
  2. Binary Delta Definition (1-15MB)
  3. Delta Definition (1-15MB)
  4. Network Inspection Service Definition File (only used on clients where NIS has been enabled)

For each of these files, there is an x86 and x64 file, so 8 total files available.

Your full definition file is generally between 40-70MB in size and will normally be installed after a new FEP Client install.

The binary delta definition file is generally 1-15MB in size and is used if your client is more than a month behind in its definition updates.

The delta definition file is generally 1-15MB in size (usually smaller than the binary delta definition file) and it installed typically on a daily basis (released 3 times a day).

More information about the definition files can be found at: http://support.microsoft.com/kb/977939

One thing to keep in mind about the definition files is that these files can be downloaded manually EXCEPT for the Binary Delta Definition files. I’m still trying to track down a link to download these files, and when I do, I’ll make sure to post an update here.

Putting This All Together

So now that we know the files we’re dealing with, let’s put this together.

First thing we need to do is setup a process to download the definition files automatically.

Create the following directories (I’m using the C: drive in this example, but you can use any of those, just make sure to modify the script I reference below)

  • “C:\FEPDefinitions\Updates\delta\amd64”
  • “C:\FEPDefinitions\Updates\delta\x86”
  • “C:\FEPDefinitions\Updates\full\amd64”
  • “C:\FEPDefinitions\Updates\full\x86”
  • “C:\FEPDefinitions\Updates\NIS\amd64”
  • “C:\FEPDefinitions\Updates\NIS\x86”
  • “C:\FEPDefinitions\script”
  1. Download the following script and save it under “C:\FEPDefinitions\script”
  2. Edit the script to download the definitions if you don’t plan on using the C:\FEPDefinitions locations

Create the Scheduled Task

  1. Go to Start – Programs – Administrative Tools – Task Scheduler
  2. In the Actions Pane on the right select Create Task…
  3. For each of the tabs, use the following screen shots (conditions and history don’t need to be modified)
    General

    Triggers

    Actions

    Settings
  4. Once the task is setup, go ahead and run it and verify that the definitions are downloading to the locations you have specified. All of the folders you created before should have definition files now.

Creating the SCCM Packages

So now that we have the content downloaded, we need SCCM to be made aware of it and download it on a schedule to our DPs. In total you will need to create 6 packages. (x86 and x64 packages for the Full and Delta definitions as well as x86 and x64 packages for the full NIS definition if you plan to use NIS). I will walk you through creating one package, you should repeat the process for the other 5 packages.

  1. In the SCCM Packages node in the SCCM Console, right click on the Packages node and  select New and then select Folder. Name it FEP Definitions.
  2. Right click the FEP Definitions folder and select New and then select Package
  3. In the new package wizard, input appropriate information for this package and click next
  4. In the data source screen, check the This package contains source files box
  5. For source directory, type in \\servername\sharename\FEPDefinitions\Updates\delta\amd64
  6. Leave Always obtain files from source directory checked
  7. Check the box to Update distribution points on a schedule
  8. Click the Schedule button
  9. For the custom schedule, select a custom interval to recur every 8 hours
    Note:
    Make this 8 hour schedule to be 15-30 minutes after the download is scheduled to run. This will allow the schedule task some time to download the definitions before SCCM tries to create a new package.
  10. Check Enable binary differential replication
  11. Click Finish

When all is said and done, your General and Data Source tabs of your package should look like this.

General


Data Source

Repeat the above steps for the other 5 packages (3 packages if you aren’t planning on pushing out NIS definitions).

Once the packages are all created, make sure to send each package to your distribution points.

Create the Programs for each Package

I’ll walk you through creating a program for the x64 delta definition (which is the same package I walked you through above).

  1. Drill to Software Distribution – Packages – FEP Definitions – Microsoft Corporation FEP Delta Definitions x64 – Programs
  2. Right click on Programs and select New – Program
  3. In the New Program Wizard, type in a name for the program
  4. For the command line, click browse, and select the mpam-d.exe file
  5. Add a -q as a command line switch, so your command line should look like mpam-d.exe -q
  6. Click Next
  7. Click Next at the Requirements screen
  8. In the Program can run drop down box, select Weather or not a user is logged on
  9. Click Next
  10. In the Advanced screen, select Suppress program notifications
  11. Click next all the way to the end of the wizard

Repeat the above steps for each package you made in the previous section.

Creating Your Collections

So now that we have created the packages to update every 8 hours (since the FEP definitions are released 3 times a day…and as a side note, no, I don’t know the time of day they are released, I have a pending question on that, so for now, just do it 3 times a day), now we need to target an advertisement to a collection, however we have an issue.

We basically have 3 definition types, we have a full update which is about 65MB in size (as of this writing) and we have a delta update which is about 3MB in size (as of this writing) as well as a NIS full definition update which is also about 3MB in size. We know that the 65MB update is for new clients as well as clients that have definition updates older than 2 months. We know that the delta definitions are for machines that have been updated with a definition within the last month. We also know there is a binary delta definition file (which we don’t have the ability to download, or at least I’m unaware of the location of the BDD file) for clients that have definitions that are at least a month old, but aren’t older than two months.

So based on all this information, we know that we don’t want our clients to download 65MB if it’s unnecessary. We only want those who are older than a month to download the full definition update (because we don’t have the BDD file we have to use this criteria, if we had the BDD file, we’d have a collection of machines with definitions older than a month but not older than two months).

In order to find the machines to target with these updates, we need to make some DCM rules. These DCM rules will allow us to populate collections dynamically based on the dates of their definition files.

Creating the Desired Configuration Management Configuration Items

What we’ll be doing here is creating 3 different configuration items

  1. Custom FEP Monitoring – Check if NIS is enabled
  2. Custom FEP Monitoring – Definitions Greater than a Month Old
  3. Custom FEP Monitoring – Definitions Up to a Month Old

Custom FEP Monitoring – Check if NIS is enabled

  1. Navigate to Desired Configuration Management – Configuration Items
  2. Right Click on Configuration Items
  3. Select New – General Configuration Item
  4. In the name field type Custom FEP Monitoring – Check if NIS is Enabled
  5. Click Next
  6. In the Objects screen, click Next
  7. In the Settings screen, click New – WQL Query
  8. For Display Name type in NisEnabled = True
  9. For Description type in Checks to see if NIS is enabled on a machine
  10. For Namespace type in Root\Microsoft\SecurityClient
  11. For Class type in AntimalwareHealthStatus
  12. For Property type in NisEnabled
  13. Click the Validation tab
  14. For Data Type select String
  15. Click New
  16. In the Configure Validation screen, for Name type in NisEnabled = True
  17. For Operator select Equals
  18. For Value select True
  19. For Severity select Information – no Windows event message
  20. Click OK
  21. Click Next all the way through the rest of the wizard

Custom FEP Monitoring – Definitions Greater than a Month Old

  1. Navigate to Desired Configuration Management – Configuration Items
  2. Right Click on Configuration Items
  3. Select New – General Configuration Item
  4. In the name field type Custom FEP Monitoring – Definitions Greater than a Month Old
  5. Click Next
  6. In the Objects screen, click Next
  7. In the Settings screen, click New – WQL Query
  8. For Display Name type in Definitions Greater than a month old
  9. For Namespace type in Root\Microsoft\SecurityClient
  10. For Class type in AntimalwareHealthStatus
  11. For Property type in AntivirusSignatureAge
  12. Click the Validation tab
  13. For Data Type select Integer
  14. Click New
  15. In the Configure Validation screen, for Name type in Antimalware Definitions Age Rule
  16. For Operator select Greater than or equal to
  17. For value type in 30
  18. For severity select Information – no windows event message
  19. Click OK
  20. Click Next all the way through the rest of the wizard

Custom FEP Monitoring – Definitions Up to a Month Old

  1. Navigate to Desired Configuration Management – Configuration Items
  2. Right Click on Configuration Items
  3. Select New – General Configuration Item
  4. In the name field type Custom FEP Monitoring – Definitions Up to a Month Old
  5. Click Next
  6. In the Objects screen, click Next
  7. In the Settings screen, click New – WQL Query
  8. For Display Name type in Definitions Up to a month old
  9. For Namespace type in Root\Microsoft\SecurityClient
  10. For Class type in AntimalwareHealthStatus
  11. For Property type in AntivirusSignatureAge
  12. Click the Validation tab
  13. For Data Type select Integer
  14. Click New
  15. In the Configure Validation screen, for Name type in Antimalware Definitions Age Rule
  16. For Operator select Less than
  17. For value type in 30
  18. For severity select Information – no windows event message
  19. Click OK
  20. Click Next all the way through the rest of the wizard

Creating the Desired Configuration Management Baseline

So now that we have created the 3 CIs, we need to create a baseline to target your machines that have succeeded in deployment of the FEP client. This baseline will allow the 3 Configuration Items to evaluate. Once these CIs have evaluated, the steps below for creating the collections will allow the collections to populate with machines that are out of date with their definitions.

  1. Navigate to Desired Configuration Management – Configuration Baselines
  2. Right Click on Configuration Baselines
  3. Select New Configuration Baseline
  4. In the name field type Custom FEP Monitoring – Definition Status
  5. Click Next
  6. In the Rules box, click the applications and general blue link. This will open a dialog box to choose Configuration Items
  7. In the Choose Configuration Items dialog box, select Custom FEP Monitoring – Check if NIS is Enabled, Custom FEP Monitoring – Definitions Greater than a Month Old, and Custom FEP Monitoring – Definitions Up to a Month Old
  8. Click OK
  9. Click Next
  10. Click Next
  11. Click Close
Now that the baseline is created, we need to assign it to one or more collections. I actually assign mine to the Out of Date and Deployment Succeeded collections, however you probably can get away with just assigning it to Deployment Succeeded. To assign the baseline to a collection:
  1. Navigate to Desired Configuration Management – Configuration Baselines
  2. Right click on Custom FEP Monitoring – Definition Status
  3. Click Assign to Collection
  4. In the Assign Configuration Baseline Wizard dialog box, click Next
  5. Click Browse
  6. In the Browse Collection dialog, navigate to FEP Collections\Deployment Status\Deployment Succeeded
  7. Click OK
  8. Click Next
  9. For the baseline evaluation schedule, you can stick with the default of 7 days, or change this to be more frequent if you desire
  10. Click Next
  11. Click Next
  12. Click Close
Now once the baseline evaluates, the collections you create in the steps below should begin to populate with machines.

Creating the Collections

So now that we have the DCM Configuration Items created, we can now create our collections leveraging the compliance of the CI and the CI Unique_ID. There are a few ways to do this, however I’ll show you the way I did it. There’s no right or wrong way, just your own way :)

For NIS Enabled Machines

  1. Navigate to Desired Configuration Management – Configuration Items
  2. Right click on Custom FEP Monitoring – Check if NIS is Enabled
  3. Select Create New Collection – Compliant Systems
  4. In the New Collection Wizard click Next
  5. In the Membership Rules screen double click on the Compliant Systems rule
  6. In the Query Rule Properties window, select Edit Query Statement
  7. In the Custom FEP Monitoring… window select Show Query Language
  8. Copy the entire query statement
  9. In the console, navigate to Computer Management – Collections – FEP Collections
  10. Right Click on FEP Collections and select New – Collection
  11. Call this collection NIS Enabled x64
  12. Click Next
  13. In the Membership Rules screen click the yellow cylinder icon to make a query based collection
  14. In the Query Rule Properties name field, type in NIS Enabled X64
  15. Click on Edit Query Statement
  16. Click on Show Query Language
  17. Paste in the query from step 8 (should be on your clip board)
  18. Click Show Query Design
  19. Click the Criteria tab
  20. There should be three lines of text in your criteria, the Configuration Item Compliance State.CIUnique_ID is equal to… as well as the compliance state is equal to one
  21. Click the Yellow Starburst icon to create a new criterion
  22. Click the Select… button
  23. For Attribute class select Computer System
  24. For Attribute select System Type
  25. Click OK
  26. For Value type in x64-based PC
  27. Click OK
  28. Select Dynamically Add New Resources
  29. Click Schedule…
  30. Set the custom schedule to update every 7 hours (this way the collections update slightly more frequently than the advertisements run since the advertisements will run every 8 hours)
  31. Click OK
  32. Click Next all the way to the end

You’ll want to repeat the above steps another 5 times for each of your different platform types (x86 or x64) as well as the different types of definitions. In the end, you should have six collections that look like the following:

Advertisements

The last thing you’ll want to do is create your advertisements to target each of the six collections. Below you can find the screen shots of what your advertisements should look like. If you’d like, I can write up the wizard steps by step items. The key step here is to make sure that the advertisements are set to always re-run.

General

Schedule

Distribution Points

In total, you should have six advertisements. 2 for the full definitions, 2 for the deltas, and 2 for the NIS definitions.

And with that, you should now be able to have your clients download their FEP definitions from their distribution points. There’s a lot of overhead in setting this all up, but once done, you shouldn’t really have to ever touch the process.

I understand that setting things up this way is a pain. In SCCM 2012 this should get better with the auto approval of updates, but in SCCM 2007 land, there really isn’t a better way without making your DPs Software Update Points and having WSUS installed on all of them (not ideal).

If you have any questions, please let me know. Also, if things don’t look right or I missed something, again, let me know. Thanks!

This entry was posted in Forefront Endpoint Protection and tagged , , . Bookmark the permalink.

21 Responses to Using SCCM Distribution Points for Forefront Endpoint Protection 2010 Definition Updates

  1. Dominique says:

    Hello,

    I was following this artcile which is really excellent and detailed but at the “creation of collection” I did not get the option…
    =====================================================
    For NIS Enabled Machines

    Navigate to Desired Configuration Management – Configuration Items
    Right click on Custom FEP Monitoring – Check if NIS is Enabled
    Select Create New Collection – Compliant Systems
    =====================================================
    the options when I right click on the “Custom FEP Monitoring – Check if NIS is Enabled ”
    I am getting:
    Export Configuration Data
    Duplicate
    Create Child Configuration Item
    View XML Definition
    Manage Categories
    Move Items
    ————-
    Cut
    Delete
    Refresh
    ————–
    Properties
    ————–
    Help
    but no wizard for collection??

    Any idea?
    Thanks,
    Dom

  2. rbalsley says:

    Hi Dominique,

    It should look something like this:

    Create Collection via DCM

    If you don’t see this, I’d say check your security rights and also make sure you’re running SCCM SP2 (R3 shouldn’t be needed, but wouldn’t hurt either).

  3. Antonis says:

    Hello,
    I found your guide extremely helpful, i have just setup sccm in my company for FEP only (we have another WSUS server) and this is exactly how i want the definition updates to work…
    I followed the guide to the end, have created all 6 Collections, however i cannot get them to populate with clients!
    i have 2 clients that should show up in the “Definitions Greater than a Month Old x86” collection, however nothing shows up… Both clients show up just fine in the collection “FEP Collections\Definition Status\Older than 1 week” – this is one of the collections that FEP installation creates…
    It is as if your query doesnot run, however the “original” FEP CI searches for the same attribute (AntivirusSignatureAge) and that CI/collection works fine, however it’s locked and i cannot edit it to add x86/x64 detection ….
    Besides the creation of the CIs, do we also need to create a new CI Baseline that contains them and apply it to the collections?
    Any help would be appreciated….
    Thanks,
    Antonis

  4. Antonis says:

    I just forgot to say i use SCCM 2007 R3 and FEP 2010

  5. Brian N says:

    I get AODB stream error when i try this. I wish I could get it to work I would like to run it to update my UNC paths for FEP

  6. Pablofer says:

    Excellent, I will try it.

  7. rbalsley says:

    @Antonis you’re right, I forgot the baseline in my write up! I’ll fix this post with the baseline instructions, but basically you need your 3 CIs and to target the deployment succeeded and out of date collections.

    @Brian N Where are you seeing an AODB stream error? When running the script via scheduled task?

  8. rbalsley says:

    OK, I have updated the post with the section on how to create the DCM Baseline.

  9. Eric says:

    This work very well! One thing I have noticed – include the ccm\cache folder, I am seeing a build up of the definition updates files. Is there a good way to remove these or should I choose option to run across the network?

  10. rbalsley says:

    Hi Eric,

    I wouldn’t worry about the cache folder filling up. The cache folder is designed to remove older data if applications need cache space, so you shouldn’t have to worry about the cache being completely full.

    That said, FEP 2010 Update 1 was released today and has support now to leverage your DPs using the Definition Update Automation Tool
    http://technet.microsoft.com/en-us/library/hh297450.aspx

  11. Julio says:

    hi,

    I get Winhttp.WinHttpRequest error when i try this, maybe because I work with proxy? which would be the remediation?

  12. Michi429 says:

    1st… Excellent post. Thanks for the work.

    2nd… Do I need to setup the task on all my distribution points?

  13. rbalsley says:

    No, just your central site. The script is just so you can source your package. Once you’ve made the package, you need to set up the package to update your DPs on a schedule as referenced in the guide.

  14. rbalsley says:

    Hmm, not sure. Is the proxy defined in IE? If not, what about using netsh to define the proxy?

    http://technet.microsoft.com/en-us/library/cc731131(WS.10).aspx

  15. Michi429 says:

    Hello,

    I have setup my DP per the document posted above. The only files I am getting are the .exe files in my delta, full and NIS folders. Did I fat finger something? Any thoughts will be appreicated.

  16. eyouskeviche says:

    Richard,

    Thank you for your excellent process. It ‘was’ working very well, until MS decided to no longer make available via download the FEP delta update executable. We have been having issues here for about 2 weeks with the delta running, and after working with premier support, faced with using one of the “supported” update methods, MS Update, UNC or WSUS. We can utilize the SCCM via WSUS with FEP roll up 1, which is what we are looking at now. Anyway, just wanted you to be aware of the change regarding delta updates.

    -ed

  17. rbalsley says:

    Thanks for the update.

    Over the next week I hope to write up something on how to use Rollup 1 to accomplish a similar process.

  18. Byron Obando says:

    Hi! First of all, thanks for this excellent post and for all the work and time you’ve dedicated to it.

    One question, do you have any step-by-step installation guide to install SCCM 2007 R3 from scratch? We’ve just acquired this product but I would like to have a guide to install it correctly. Is it necessary, recommended or mandatory to have a separate server working as a distribution point? Can one server handle all functions? I know it all depends on how large your network infrastructure is. In my case I have 200 workstations, some of them are running Windows 7 x64, some others Windows 7 x86 and we still have a few running Windows XP. We only have one site for Active Directory, 2 Domain Controllers, a different server running WSUS 3.0 SP1, we also have a server running SQL Server 2008 R2 and we also acquired Forefront Endpoint Protection 2010, which I need to deploy after Configuration Manager is up and running.

    Any advise will be greatly appreciated. Thanks in advance for your help.

  19. Tolvis says:

    Richard – Thanks for a great article!
    For future reference – I would also love to see an explanation of how we can provide protection for roaming users (laptops), such that they pull down updates from the nearest server rather than going back to the “home” office server (which could be half way round the globe).

  20. rbalsley says:

    @Byron

    No, I do not have a step by step installation guide for SCCM 2007 R3. The reason for that is because it really depends on what you plan on using the product for. Some people may want to utilize different site roles, you also need to determine your version of Windows/SQL etc. There is also the issue of extending the AD Schema, using native mode, etc that can complicate matters. So there’s no real one size fits all install guide.

    That being said, you can install all roles on one server if the hardware can handle the load. But again, this recommendation is hard because we need to know how many clients you plan to manage, where the clients are (we don’t recommend clients going across the WAN to get content, though if the WAN speeds are good, then it’s an option). In your specific configuration, you’d probably be ok with one primary server with all the roles on the same box since it’s only 200 clients, but I’d strongly suggest testing that out.

    @Tolvis

    Are the roaming users in a VPN scenario, connected on the corporate network, or some other way back to the corp network? If they never check in, it’s hard for them to get access to corp resources without something like direct access setup.

    If they are on the corp network, SCCM’s roaming capability should have the client go to its nearest DP provided that you have your boundaries setup correctly.

  21. Dhillan says:

    Hi Richard

    Firstly thanks a lot for this Guide on deploying FEP updates, it is very useful. I however have run into a bit of a problem. I have followed the guide step by step but have hit a snag at creating the collections. When I right click on my configuration item I do not get the option “New Collection – Compliant Systems”. If I am not mistaken the client is running SCCM 2007 R2.

    Please assist if possible.

Leave a Reply

Your email address will not be published. Required fields are marked *