Auto Deployment of FEP Definition Updates with ConfigMgr 2007

This week Microsoft released Forefront Endpoint Protection (FEP) 2010 Update Rollup 1 (including some extra tools). The tools update included some extra policies and also a Definition Update Automation Tool. Together with this, there was also an article published about Definition Update Automation with Configuration Manager.

Personally I don’t like the idea of creating a new Task with the Windows Task Scheduler, while we’ve got Status Filter Rules within ConfigMgr. With these rules we can make a “connection” between the scheduled synchronization of the Software Update Point (SUP) and the start of the Definition Update Automation Tool. Otherwise the tool might run while there hasn’t been a new synchronization of the SUP. To prevent this, I will show in this post how to create the Status Filter Rule.

The prerequisites for this post are the same as mentioned in Definition Update Automation with Configuration Manager.

Open the fepsuasetup.cab file and copy SoftwareUpdateAutomation.exe to <Installationdirectory>\AdminUI\bin

In the ConfigMgr Console browse to Site Database > Site Management > <Sitename> > Site Settings > Status Filter Rules and select New Status Filter Rule in the Actions pane.

NSFR

On the General page, fill in a Name, select as Source ConfigMgr Server, select as Component SMS_WSUS_SYNC_MANAGER, fill in as Message ID 6702 and click Next.

This makes sure that every time the SMS_WSUS_SYNC_MANAGER is DONE this action (which we configure in the next step) will start.

NSFRW_General

On the Actions page, select Run a Program, fill in as commandline “<Installationdirectory>\AdminUI\bin\SoftwareUpdateAutomation.exe”
/AssignmentName <DeploymentName> /PackageName <PackageName> and click Next.

NSFRW_Actions

On the Summary page and click Next.

NSFRW_Summary

On the Summary page and click Finish.

NSFRW_Confirmation

Download Microsoft Forefront Endpoint Protection (FEP) 2010 Update Rollup 1 Tools: http://www.microsoft.com/download/en/details.aspx?id=26613

Update 18-07: There are some issues discovered with the new tool, take a look here for more information and solutions: http://blogs.technet.com/b/clientsecurity/archive/2011/07/18/errors-when-using-the-fep-2010-definition-update-automation-tool.aspx

Update 01-11: A new version of the Definition Update Automation Tool has been released. This version refreshes the Distribution Point by default and has a new option to disable that behavior (/DisableRefreshDP): http://blogs.technet.com/b/configmgrteam/archive/2011/11/01/how-to-use-definition-update-automation-tool-for-forefront-endpoint-protection-2010-update-rollup-1.aspx

8 thoughts on “Auto Deployment of FEP Definition Updates with ConfigMgr 2007

  1. Hi Peter

    I have been testing the FEP 2010 Update Rollup 1 for the last week and have found some strange behavior I would like to ask your about.

    When the softwareupdateautomation tool runs it downloads the “new” definitions just fine and they are added to my package as well but I can´t get it to update my Deployment no matter what I do.

    I have also seen that the Deployment package isn´t automatically refreshed on the distribution unless you use the /RefreshDP switch.

    I am pretty sure that I have set it up corectly.

    I am using the following command-line to execute to tool:
    SoftwareUpdateAutomation.exe /AssignmentName “FEP2010_DefUpdates” /PackageName “FEP2010 DefUpdates” /RefreshDP

    Have you seen the same behavior in you testing?

    By the way – I like you idea of using a ConfigMgr Status Filer Rule to trigger the Softwareupdateautomation tool, even though I am using the Task Scheduler, I also have a trigger which looks for the 6702 event.

    Kind Regards

    Michael

  2. Hi, I have the same problem like Michael. My testing environment is on a Windows 2008 R2 and SQL2008R2 and i start thinking, that may be a compatibility problem.

  3. Hi Petko,

    To which of the two statements are you refering? Because I do see (now), that the /RefreshDP is needed.. By default it’s set to false, while the documentation states it’s set to true..
    Without specifying /RefreshDP I see the following line in the logfile: SmsAdminUISnapIn Information: 0 : Configuration: SiteServerName: PTSRVR02; SoftwareUpdateFilter: ArticleID=2461484 AND IsSuperseded=0 AND IsEnabled=1; PackageName: -PackageName-; UpdateLanguages: 0; SoftwareUpdateFolder: ; RefreshDistributionPoints: False; LogFile: C:\ProgramData\SoftwareUpdateAutomation.log. UpdateAssignmentName: -DeploymentName-

    Peter

  4. In Windows Server 2003 the log location is a bit different, the general location is %ProgramData%\SoftwareUpdateAutomation.log. To be honest I have no clue what that would on Windows Server 2003, as the variable %ProgramData% exists since Vista… The easiest way would be to do a search for SoftwareUpdateAutomation.log

    Peter

  5. Peter,

    In the latest version of softwareupdateautomation RefreshDP is not supported anymore you can use /DisableRefreshDP, RefreshDP is now default enabled.

Leave a Comment