This week Microsoft released Forefront Endpoint Protection (FEP) 2010 Update Rollup 1 (including some extra tools). The tools update included some extra policies and also a Definition Update Automation Tool. Together with this, there was also an article published about Definition Update Automation with Configuration Manager.
Personally I don’t like the idea of creating a new Task with the Windows Task Scheduler, while we’ve got Status Filter Rules within ConfigMgr. With these rules we can make a “connection” between the scheduled synchronization of the Software Update Point (SUP) and the start of the Definition Update Automation Tool. Otherwise the tool might run while there hasn’t been a new synchronization of the SUP. To prevent this, I will show in this post how to create the Status Filter Rule.
The prerequisites for this post are the same as mentioned in Definition Update Automation with Configuration Manager.
|
Open the fepsuasetup.cab file and copy SoftwareUpdateAutomation.exe to <Installationdirectory>\AdminUI\bin |
|
|
In the ConfigMgr Console browse to Site Database > Site Management > <Sitename> > Site Settings > Status Filter Rules and select New Status Filter Rule in the Actions pane. |
 |
|
On the General page, fill in a Name, select as Source ConfigMgr Server, select as Component SMS_WSUS_SYNC_MANAGER, fill in as Message ID 6702 and click Next. This makes sure that every time the SMS_WSUS_SYNC_MANAGER is DONE this action (which we configure in the next step) will start. |
 |
|
On the Actions page, select Run a Program, fill in as commandline “<Installationdirectory>\AdminUI\bin\SoftwareUpdateAutomation.exe” |
 |
|
On the Summary page and click Next. |
 |
|
On the Summary page and click Finish. |
 |
Download Microsoft Forefront Endpoint Protection (FEP) 2010 Update Rollup 1 Tools: http://www.microsoft.com/download/en/details.aspx?id=26613
Update 18-07: There are some issues discovered with the new tool, take a look here for more information and solutions: http://blogs.technet.com/b/clientsecurity/archive/2011/07/18/errors-when-using-the-fep-2010-definition-update-automation-tool.aspx
Update 01-11: A new version of the Definition Update Automation Tool has been released. This version refreshes the Distribution Point by default and has a new option to disable that behavior (/DisableRefreshDP): http://blogs.technet.com/b/configmgrteam/archive/2011/11/01/how-to-use-definition-update-automation-tool-for-forefront-endpoint-protection-2010-update-rollup-1.aspx
Discover more from All about Microsoft Intune
Subscribe to get the latest posts sent to your email.
Hi Peter
I have been testing the FEP 2010 Update Rollup 1 for the last week and have found some strange behavior I would like to ask your about.
When the softwareupdateautomation tool runs it downloads the “new” definitions just fine and they are added to my package as well but I can´t get it to update my Deployment no matter what I do.
I have also seen that the Deployment package isn´t automatically refreshed on the distribution unless you use the /RefreshDP switch.
I am pretty sure that I have set it up corectly.
I am using the following command-line to execute to tool:
SoftwareUpdateAutomation.exe /AssignmentName “FEP2010_DefUpdates” /PackageName “FEP2010 DefUpdates” /RefreshDP
Have you seen the same behavior in you testing?
By the way – I like you idea of using a ConfigMgr Status Filer Rule to trigger the Softwareupdateautomation tool, even though I am using the Task Scheduler, I also have a trigger which looks for the 6702 event.
Kind Regards
Michael
Hi Michael,
I’m sorry but I haven’t seen that behavior, yet.. Did take a look at the logfile (C:\ProgramData\SoftwareUpdateAutomation.log)?
Peter
Hi, I have the same problem like Michael. My testing environment is on a Windows 2008 R2 and SQL2008R2 and i start thinking, that may be a compatibility problem.
Hi Petko,
To which of the two statements are you refering? Because I do see (now), that the /RefreshDP is needed.. By default it’s set to false, while the documentation states it’s set to true..
Without specifying /RefreshDP I see the following line in the logfile: SmsAdminUISnapIn Information: 0 : Configuration: SiteServerName: PTSRVR02; SoftwareUpdateFilter: ArticleID=2461484 AND IsSuperseded=0 AND IsEnabled=1; PackageName: -PackageName-; UpdateLanguages: 0; SoftwareUpdateFolder: ; RefreshDistributionPoints: False; LogFile: C:\ProgramData\SoftwareUpdateAutomation.log. UpdateAssignmentName: -DeploymentName-
Peter
I dont even see a log file get created, does this run on server 2003 boxes?
In Windows Server 2003 the log location is a bit different, the general location is %ProgramData%\SoftwareUpdateAutomation.log. To be honest I have no clue what that would on Windows Server 2003, as the variable %ProgramData% exists since Vista… The easiest way would be to do a search for SoftwareUpdateAutomation.log
Peter
Peter,
In the latest version of softwareupdateautomation RefreshDP is not supported anymore you can use /DisableRefreshDP, RefreshDP is now default enabled.
Thanks Huib!
I indeed didn’t update that yet, but I will do that this weekend!