Category Archives: Software Updates

Jul 03

Auto Deployment of FEP Definition Updates with ConfigMgr 2007

Posted on by

This week Microsoft released Forefront Endpoint Protection (FEP) 2010 Update Rollup 1 (including some extra tools). The tools update included some extra policies and also a Definition Update Automation Tool. Together with this, there was also an article published about Definition Update Automation with Configuration Manager.

Personally I don’t like the idea of creating a new Task with the Windows Task Scheduler, while we’ve got Status Filter Rules within ConfigMgr. With these rules we can make a “connection” between the scheduled synchronization of the Software Update Point (SUP) and the start of the Definition Update Automation Tool. Otherwise the tool might run while there hasn’t been a new synchronization of the SUP. To prevent this, I will show in this post how to create the Status Filter Rule.

The prerequisites for this post are the same as mentioned in Definition Update Automation with Configuration Manager.

Open the fepsuasetup.cab file and copy SoftwareUpdateAutomation.exe to <Installationdirectory>\AdminUI\bin

In the ConfigMgr Console browse to Site Database > Site Management > <Sitename> > Site Settings > Status Filter Rules and select New Status Filter Rule in the Actions pane.

 NSFR

On the General page, fill in a Name, select as Source ConfigMgr Server, select as Component SMS_WSUS_SYNC_MANAGER, fill in as Message ID 6702 and click Next.

This makes sure that every time the SMS_WSUS_SYNC_MANAGER is DONE this action (which we configure in the next step) will start.

 NSFRW_General

On the Actions page, select Run a Program, fill in as commandline “<Installationdirectory>\AdminUI\bin\SoftwareUpdateAutomation.exe”
/AssignmentName <DeploymentName> /PackageName <PackageName> and click Next.

 NSFRW_Actions

On the Summary page and click Next.

 NSFRW_Summary

On the Summary page and click Finish.

 NSFRW_Confirmation

Download Microsoft Forefront Endpoint Protection (FEP) 2010 Update Rollup 1 Tools: http://www.microsoft.com/download/en/details.aspx?id=26613

Update 18-07: There are some issues discovered with the new tool, take a look here for more information and solutions: http://blogs.technet.com/b/clientsecurity/archive/2011/07/18/errors-when-using-the-fep-2010-definition-update-automation-tool.aspx

Update 01-11: A new version of the Definition Update Automation Tool has been released. This version refreshes the Distribution Point by default and has a new option to disable that behavior (/DisableRefreshDP): http://blogs.technet.com/b/configmgrteam/archive/2011/11/01/how-to-use-definition-update-automation-tool-for-forefront-endpoint-protection-2010-update-rollup-1.aspx

Share
Oct 11

ConfigMgr 2007, Updating a Windows 7 Image with the latest Software Updates – A less conventional, but very effective way

Posted on by

Inspired by a previous post about the option to Schedule Updates for an already existing Operating System Image in ConfigMgr vNext, I created a little batch-file to do something similar without the GUI of ConfigMgr vNext. Of course, I do know that the ‘best practice’ for ConfigMgr 2007 is to just run another Build and Capture Task Sequence, but in some cases this can come in handy. One thing is for sure, this updates a Windows 7 Image within fifteen minutes.

Background Story

Now lets start with a little background story, to explain why in some situations there might be the need for this batch-file. Every month there are new Software Updates released by Microsoft. During the Software Updates Deployment the, for the organization needed, updates get selected and downloaded to the Software Update Package. In other words, the, for the organization needed, updates are already downloaded and available. To update the existing image with the newest updates, the ‘best practice’ is to deploy the newest updates and run another Build and Capture Task Sequence. Sometimes, especially at smaller companies, this is considered as a lot of extra work/ effort and because of that, it is often forgotten. Even though an up-to-date Windows 7 Image deploys a lot faster then a Windows 7 Image that still has to install a lot of Software Updates. So to help out the people that are just to busy (you can actually fill in anything you want, I just like to think that they are to busy), I created this batch-file that will do everything.PckgSrcLctn

Input Locations

Well… after this all being said, lets take a look at the two most important inputs that we need for this batch-file:

  1. The current setup of the batch-file assumes that there is a  Software Updates Package for all Windows 7 (x86 and x64) updates. The Package source of this package is used as input for this batch-file. This location can be found in the Properties of the Software Updates Package (see the first picture) in the ConfigMgr Console. By doing this, it is not needed to re-download the Software Updates, it’s only needed to gather the Software Updates together from all the subdirectories.
  2. Another important input for the batch-file is the location of the Windows 7 Image, which has to be updated. For this the Image path can be used, which can be found in the Properties of the Operating System Image (see the second picture) in the ConfigMgr Console. Don’t forget that it is still needed to update the Distribution Point(s) after the batch-file has run!

Batch-fileImgPth

As we know now a little background story and we know where the most important parts of the input comes from, lets take a look at the batch-file that will make it happen.

REM =========================================
REM ARGUMENT -1- TempPartition = %1
REM ARGUMENT -2- UpdatesPackageSource = %2
REM ARGUMENT -3- Architecture = %3
REM ARGUMENT -4- WimFileAndLocation = %4
REM ARGUMENT -5- FromDate MM-DD-YYYY = %5
REM ===================================================

REM ===================================================
REM Make (temporary) directories for updates and mounting
REM ===================================================

MD %1\TEMP\Mount
MD %1\TEMP\Updates

REM ======================================================
REM Copy new updates of %3 -architecture and of > %5 -date to temporary directory
REM ======================================================

FOR /R %2 %%P IN (*%3.cab) DO (
XCOPY "%%P" %1\TEMP\Updates /H /C /Y /D:%5
)

REM ======================================================
REM Mount image, add updates, commit and unmount
REM ======================================================

DISM /Mount-Wim /WimFile:%4 /Index:1 /MountDir:%1\TEMP\Mount /LogPath:%1\DISM.Log
DISM /Image:%1\TEMP\Mount /Add-Package /PackagePath:%1\TEMP\Updates /LogPath:%1\DISM.log
DISM /Unmount-Wim /MountDir:%1\TEMP\Mount /Commit /LogPath:%1\DISM.log

REM ======================================================
REM Remove (temporary) directories again
REM ======================================================

RD %1\TEMP /S /Q

The biggest part will explain itself, with or without the comments, but it also shows here that I am using five variables. This is to make it easier adjustable for different Windows 7 Images, Package source location, architectures and dates. These variables are used in the following way:

  1. %1 – Presents the volume that can be used to store the temporary folders.
  2. %2 – Presents the full location of the Software Updates Package source.
  3. %3 – Presents the architecture of the Operating System.
  4. %4 – Presents the full location of the Operating System Image, including the name of it.
  5. %5 – Presents the date of the oldest Software Updates that have to be added (Format: MM-DD-YYYY).

Now lets end this post with how to run this batch-file:
[NameOfBatchFile].BAT [DriveLetter:] [SoftwareUpdatesPackageSourceLocation] [Architecture] [WIMLocation\WIMName] [DateLatestNeededUpdates]

Share
Aug 24

Installing Software Updates via a Task Sequence in ConfigMgr 2007

Posted on by

I noticed that when your Site is running in Native Mode you can run into problems with installing Software Updates via a Task Sequence. The first time that your are installing your computer with your Task Sequence there are no problems, but every time after that the Task Sequence will finish successful but doesn’t install any Software Updates. It looks like that it will use existing scan results of the client from the previous scan. So when there are already scan results of your client it will not rescan during your Task Sequence.

To work around this I use the following scripts (that I run before the step Install Software Updates in the Task Sequence):

  1. Initiate Software Updates Scan: http://msdn.microsoft.com/en-us/library/cc144313.aspx
    actionNameToRun = “Software Updates Assignments Evaluation Cycle”

    Dim oCPAppletMgr
    Set oCPAppletMgr = CreateObject(“CPApplet.CPAppletMgr”)

    Dim oClientActions
    Set oClientActions = oCPAppletMgr.GetClientActions()

    ‘Loop through the available client actions. Run the matching client action when it is found.
    Dim oClientAction
    For Each oClientAction In oClientActions
       If oClientAction.Name = actionNameToRun Then
          oClientAction.PerformAction 
       End If
    Next

  2. Refresh Compliance State: http://msdn.microsoft.com/en-us/library/cc146437.aspx
    dim newCCMUpdatesStore
    set newCCMUpdatesStore = CreateObject (“Microsoft.CCM.UpdatesStore”)

    ‘Refresh the server compliance state by running the RefreshServerComplianceState method.
    newCCMUpdatesStore.RefreshServerComplianceState

The first script Initiate Software Updates Scan is to let the client check if it needs new updates and the second script Refresh Compliance State is to let the client report back to the server that it needs updates.

Note: It can also happen when you are trying to avoid obsolete clients by starting the Task Sequence via Run Advertised Program.

Share