In my previous post on using your distribution points for Forefront Endpoint Protection (FEP) 2010 definition files, we had to leverage a vbscript in order to automate the download of the definition files from Microsoft via a scheduled task and then create a package that updated automatically on schedule and have a recurring advertisement. We also had to create some additional DCM configuration items and collections. This whole thing became a pretty tedious process to setup, but in the end it worked and the clients could get the definitions from their local DPs instead of the Software Update Point, WSUS server, UNC Share, or Microsoft Update. FEP 2010 Update Rollup 1 makes the process of getting the defs from your DPs a whole lot easier!
Downloading FEP 2010 Update Rollup 1
When you download FEP 2010 Update Rollup 1, you will have the option for x86 and x64 versions as well as a hotfix KB2554364 which is reporting fix that must be installed prior to installing Rollup 1. The reporting fix needs to be installed on your Reporting server. Once you have downloaded FEP 2010 Update Rollup 1 and KB2554364 for the architecture types in your environment (32 or 64 bit) you also need to download the FEP 2010 Update Rollup 1 Tools. It's not required to download all of the tools, but for the purposes of this post, the tool that you want to download is the fepsuasetup.cab which is the Definition Update Automation Tool.
In summary download the following:
- FEP 2010 Update Rollup 1 (you should download two files, Update Rollup 1 as well as KB2554364 for your architecture type)
- Definition Update Automation Tool
Installing FEP 2010 Update Rollup 1 on Infrastructure Servers
Installing FEP 2010 is simple, but can be slightly confusing at first.
- Install FEP2010-Update-KB2554364-xxx-yyy.exe on the server you installed FEP Reporting to (where xxx is the architecture type and yyy is the language; e.g. FEP2010-Update-KB2554364-x64-enu.exe )
- Run FEP2010-Update Rollup-KB2551095-xxx-yyy.exe (this will extract into three folders: FepExt, FepReport, FepUx)
- FepExt is the FEP Extension for Configuration Manager. This needs to be applied on your SCCM Site Server(s).
- FepReport is for FEP Reporting and needs to be installed on the server you installed FEP Reporting to.
- FepUx is the FEP Console Extension and will need to be installed on all SCCM Consoles that plan on managing FEP.
Once you have installed the three components, you have completed the server installation of FEP 2010.
Installing FEP 2010 Update Rollup 1 on Clients
FEP 2010 Update Rollup 1 has a client upgrade as well. By default it modifies the files in the FEP - Deployment package that it created with the initial install. Basically, there's a new FEPInstall.exe file.
Using the "Old" Advertisement to Upgrade Your Clients
Prior to installing FEP 2010 Update Rollup 1, you likely made an advertisement to target machines to install the FEP client. If you would like to use that same advertisement, you will need to modify the program rerun behavior to Always Rerun Program.
Using a New Advertisement to Upgrade Your Clients
Chances are you likely want to use a new advertisement to upgrade your clients. I will assume that you know how to create an advertisement for your environment, however what I would like to point out is a potential collection you can target. FEP creates a collection called Out of Date which is under FEP Collections – Deployment Status. This collection leverages a custom SQL query created by FEP that identifies machines that have an old version of the FEP client. You can target this collection with the new FEP 2010 Update Rollup 1 client package to upgrade your clients, but be forewarned that this collection doesn't limit workstations or servers, so you may want to create other collections that limit to the Out of Date collection if you want to manage your FEP client rollout better.
Configuring a Deployment Package and Deployment for FEP Definitions
In order for the software update automation tool to work, you will need a deployment and package to leverage. But before that, you'll need to make sure you are syncing the FEP 2010 Definitions.
Syncing the FEP 2010 Definition Files
- From the site server that is top most Software Update Point (the one that syncs with Microsoft Update) – Expand Site Database – Site Management – Site Code – Site Settings – Component Configuration
- In the middle pane double click select Software Update Point Component
- In the Classifications tab select Definition Updates
- In the Products tab select Forefront Endpoint Protection 2010 (note: if this is your first time syncing with Microsoft update, you may not see Forefront Endpoint Protection in this list. After the first sync you should see a lot of additional products in this list)
- In the Sync schedule tab select Custom schedule and click the Customize… button
- For the Recurrence Pattern select Custom interval and for Recur every select 1-8 hours (set this at an interval you are comfortable with. The definitions come out three times a day, so at most set this to 8 hours, but if you are comfortable doing it more frequently, then hourly is probably fine)
- Click OK
- Click OK at the Software Update Point Component Properties dialog window
If you had to do the above steps to get the FEP 2010 Definitions to sync, you probably don't want to wait for the sync time to start, so to kick off a manual sync, do the following:
- Expand Site Database – Computer Management – Software Updates – Update Repository
- Right Click on Update Repository
- Select Run Synchronization
- Open <ConfigMgr Install Dir>\logs\wsyncmgr.log to watch the synchronization progress
After you have sync'd the catalog, you should now be able to create a package.
Creating the Deployment Package
- In the ConfigMgr console expand Site Database – Computer Management – Software Updates – Update Repository – Definition Updates – Microsoft – Forefront Endpoint Protection 2010
- In the Forefront Endpoint Protection 2010 pane in the middle, select the latest definition file in the list (you may have more than one file in here)
- Right Click the update you have selected and click Download Software Updates
- Alternatively, you could also select Update List which will allow you to add the definition file to an update list AND download the definition to a package. It's up to you, however in this example I will not be making an update list and will just download to a package.
- In the Download Updates Wizard select Create a new deployment package
- In the Name field, type an appropriate name
- In the Description field, type an appropriate description
- For the package source, create a shared location for the definition files to be downloaded to
- Click Next
- Click Browse in the Distribution Points wizard and select the DPs you would like to send the package to
- Click Next
- Click Next at the Data Access step
- Click Next at the Distribution Settings step
- Click Next at the Download Location step (unless you have downloaded the defs manually to a location on the local network)
- Select the languages you would like the updates in at the Language selection step and click Next
- Click Next at the Summary step
- The updates will download, click Close when finished
If all went well, you should now have a package flowing to the DPs you have selected. You can look at the package status node for the package, or you can watch the distmgr.log on each of the servers if you are so inclined. The next step is to create your deployment.
Creating the Deployment
So just like your package, the deployment will also just have "one" update in it (as you'll find over time the package and deployment will grow to have many updates, but initially we will just select one update).
- In the ConfigMgr console expand Site Database – Computer Management – Software Updates – Update Repository – Definition Updates – Microsoft – Forefront Endpoint Protection 2010
- In the Forefront Endpoint Protection 2010 pane in the middle, select the latest definition file in the list (you may have more than one file in here)
- Right Click the update you have selected and click Download Software Updates
- In the name field, enter FEPDefs (you can name this something different, however I like to keep the package and deployment the same name, and with the Software Update Automation Tool, this will make things easier later, especially if the name of the package and deployment do not have spaces in the name)
- Click Next in the General step
- Click Next in the Deployment Template step
- In the Collection step, use a collection that makes sense for your environment. I would use a test collection here. Click Next
- In the Display/Time settings step, I prefer to select Suppress display notifications on clients, and Client Local Time. Leave the duration at the default of 2 weeks and click Next
- In the Restart Settings step, check the Servers and Workstations boxes to suppress restarts. Definitions should NEVER cause a reboot, but I do this just to be safe. Click Next
- Click Next in the Event Generation step
- In the Download Settings step, I prefer to have clients that are in slow boundaries to download software updates from a distribution point and install. I also prefer to keep the Download software updates from unprotected distribution point and install option selected. Click Next.
- In the Create Template step, if you would like to save the template, create a template name, otherwise uncheck the Save deployment properties as a template option and click Next.
- In the Deployment Schedule step, keep As soon as possible selected and set a deadline to something appropriate (I prefer to set my deadline to a few minutes ahead of the current time so my clients start to install definitions right away). You can also opt to Enable Wake on LAN and Ignore maintenance Windows and install immediately (which I would do since definitions are constantly being sent out and most maintenance windows are open once a month for most customers, however some may have a nightly window, so treat this option as something that will depend on your environment) and click Next.
- At the Summary step click Next
- Click Close when finished
If all went well, you should now have a deployment targeting a test collection. During this time, the package should have completed being copied to all the DPs as well. It's a good idea to validate that the package is on all the DPs at this point. What we have basically done up to this point is created a package and a deployment for a single definition file. Over time, the definitions will obviously be out of date if we don't update the package and deployment. This is where the Software Update Automation Tool will come into play. This will run a scheduled task which triggers an exe to run and update both the package and deployment for FEP AND it will cause the content to be updated on the DPs.
Configuring the Software Update Automation Tool
This step will require creating a scheduled task. I will do the steps from a Windows 2008 R2 stand point. For 2003, the steps will be different
- Extract the SoftwareUpdateAutomation.exe file from the fepsuasetup.cab to <ConfigMgr Installation Folder>\AdminUI\bin
- Open Task Scheduler (on Windows 2008 or 2008 R2 just go to Start and in the Search Field type in Task Scheduler)
- In the Task Scheduler window, right click
Task Scheduler Library and select Create Task - In the Create Task window, type in an appropriate name for the task
- Under security options in the General tab, click the Change User or Group
- In the Select User or Group window, under Enter the object name to select type in System and click OK
- Click the Triggers tab
- Click New…
- Under settings, select One Time and under Advanced Settings select Repeat task every 1 hour for duration of Indefinitely and click OK
- Click the Actions tab
- Click New…
- For Action select Start a program
- Under Settings for the Program/script enter <ConfigMgr Install Dir>\AdminUI\bin\SoftwareUpdateAutomation.exe
- For Add arguments (optional) use /AssignmentName <deployment name> /PackageName <deployment package> /RefreshDP /UpdateFilter "articleid=2461484 AND IsSuperseded=0 AND IsEnabled=1 AND IsExpired=0" (replace <deployment name> and <deployment package> with the names of the deployment and package, for example: /AssignmentName FEPDefs /PackageName FEPDefs /RefreshDP /UpdateFilter "articleid=2461484 AND IsSuperseded=0 AND IsEnabled=1 AND IsExpired=0") and click OK.
- Click OK to close and save the Scheduled Task
Updating Your Policies for Clients to Download the Definitions from Configuration Manager
With update rollup 1 installed, you'll notice in your policies that a slight change has been made to the updates tab.
With update rollup 1 we can leverage the ability to specify Configuration Manager as the primary source for definition updates and also select the ability to check alternative sources if definitions on the client computer are older than a specific number of days. The previous options that we had with FEP 2010 RTM are now classified as alternative sources. So make sure that in your Policies that you update them to leverage Configuration Manager as the primary source for definition updates.
At this point you should now have a scheduled task that will run every hour. This will run hourly and update your package and deployment. When your client computers download policy, they will start to install the latest FEP definition files silently from their distribution points. If you have any questions about the setup of this method, please submit a comment and I'll try to answer when I can.
19 Responses
Hi
I have deployed SCCM2007SP2 R3 and FEP2010 on a Win2k8R2 server running SQL 2008R2.
Four of us are using FEP2010 now but it seems that my machine is not updating the defs.
I have followed through your most excellent guide but do not know what the file share path should be set to when creating the deployment package at step 8.
Can you advise?
Hi, I have also followed your directions exactly but the definitions are still not getting to the client... i can see from log files that the updates are being downloaded on sccm 2007 package share and the package is successfully processed but no updates get to the clients...
When creating the task the general tab always reverts back to "run only when user is logged on" and the following user account is always entered when I select "system" as the user: NT AUTHORITY\SYSTEM. Why can't I select and keep "Run whether user is logged on or not"?
Hi,
Yeah i have the same problem. FEP Version on clients is correct. Using a branch distribution point for the package (showing as ok).Set a new policy and FEP is now using the policy. They are new clients with no definitions so it fails over to wsus/windows update. My problem is that the DP is on a ship with 128K/256K burst! so i cant use windows update etc. I have pre populated the DP, set to manually update the branch distribution point.(this has worked with other packages ok, FEP for example). Any ideas?
I figured out what the problem was.
I ran the software update command at a command prompt, and it came back and told me that /RefreshDP is not a good switch.
I took that out, and it runs fine.
We are having an issue with the first dat update after install is going to msft rather than the DP. Subsequent updats are properly going to the DP. Thoughts on this?
I think this is the new URL for the automatic update
http://www.microsoft.com/downloads/info.aspx?na=41&srcfamilyid=feaef0fa-9943-4511-95ce-4f342d9e60c9&srcdisplaylang=en&u=http%3a%2f%2fdownload.microsoft.com%2fdownload%2fB%2f3%2f0%2fB308526F-7228-410D-BE21-59507C222D0D%2fsoftwareupdateautomation.exe
And for the full toolset: http://www.microsoft.com/download/en/details.aspx?id=26613
Also with the new version, /RefreshDP is no longer supported (Its a default) and you do not require the /UpdateFilter "articleid=2461484 AND IsSuperseded=0 AND IsEnabled=1 AND IsExpired=0" as that is the default as well.
I to am having a problem with no client ever trying to load definition updates from distribution points. Everything else is working like it is supposed to. Defintions are being updated and distributed to distribution points but clients don't know to look there. Does it make any difference if WSUS runs on a different server. I have pushed out many packages through Software Distribution but this is the first through Software Updates. Anyone have a clue what might be happening.
Hi Guys,
I have it working in my Development environment but when I check the client MPLog it shows updating from Microsoft update Server. Might want to check a few of your clients as our WAN can't handle updates from MS... Any ideas what to check? The clients are set to check MS after 3 days and will auto retry after 1 day of failed updates.
Heya
While searching why my FEP Updates won't distribute to my distribution points, I came across this blog, much of interesting stuff which I will definately check out later!
@Dan: I think this hotfix might be of help to you ;)
http://support.microsoft.com/kb/2597508/en-us
I consider installing it, but first i need to be sure that the softwareupdateautomation tool does what it is supposed to do.
I hope this will resolve your problem Dan! ;)
Well, I have the same thing. After following this document all seems to work as it should EXCEPT FEP Def Files are coming from the update.microsoft.com instead of my file share on SCCM Server. I also noticed that looking at my Package Source Location, no new Def Files are there.
Any help would be appreciated. I am opening a case with MS and will post if I get a resolution.
Thanks
Hi Michael,
I managed to get it working. When creating the deployment template make sure the duration is set to something large like 2 weeks. I had it set to two hours and didn't realize this meant the updates where only available for 2 hours.
I may have found my issue as well. While the SoftwareUpdateAutomation.exe Tool (SUAT) runs in the background, it does nothing to pull the FEP Defs from the internet, it simply gets them ready for deployment once SCCM downloads them. So, in order for this to work as advertised, we had to bump our Software Update Point Component Syncronization up to happen more frequently (sooner than we had it looking to the alternative source). I am still confirming this has fully fixed our issue, but some of you may want to explore this as a resolution as well.
UPDATE: This is potentially the issue many of you are having.
In addition to increasing the Syncronization of Patches from once per week to once per 4 hours, I was having SUAT issues where it would fail to run. I changed \AdminUI\bin\SoftwareUpdateAutomation.exe where was E:\ to being \\sccmserver\e$\ and the task ran successfully and life is good!
Hope this helps some of you.
One more thing that helped fix mine.
14.Click Next at the Download Location step (unless you have downloaded the defs manually to a location on the local network)
In my case this needed to be directed at my Source Files for the FEP Defs because it needed to know after sync and after the SUAT tool ran that there was new files out there to be installed.
It is NOT easy to install and get working!
I´ve got Problems too. I managed everything to get work. But no Definitions get to the Clients. The hotfix is installed. Any ideas? Perhaps any log Files to check?
This article is great! I struggled with this for a couple days and even had a call into Premier Support. The Rep had me send this article to him because it was so helpful. Fantastic work!
Have any articles about FEP exclusions for Exchange and SQL?