by Michael Cureton

We’ve become aware of two issues when using the Definition Update Automation Tool. This blog article presents workarounds for the issues.

Definition Update Automation Tool fails to add new definition updates to the deployment package

Symptoms

The FEP 2010 Definition Update Automation Tool may fail to add new definition updates to your deployment package. Reviewing the %ProgramData%\SoftwareUpdateAutomation.log file shows the following exception:

SmsAdminUISnapIn Error: 1 : Unexpected exception: System.ArgumentException: An item with the same key has already been added.
  at System.ThrowHelper.ThrowArgumentException(ExceptionResource resource)
  at System.Collections.Generic.Dictionary`2.Insert(TKey key, TValue value, Boolean add)
  at System.Collections.Generic.Dictionary`2.Add(TKey key, TValue value)
  at Microsoft.Forefront.EndpointProtection.SoftwareUpdateAutomation.SccmUtilities.CalculateCleanupDelta(ConnectionManagerBase connection, ICollection`1 freshUpdateFilesObjectList, IResultObject destinationPackageObject)
  at Microsoft.Forefront.EndpointProtection.SoftwareUpdateAutomation.SoftwareUpdater.Update(SoftwareUpdateAutomationArguments arguments)
  at Microsoft.Forefront.EndpointProtection.SoftwareUpdateAutomation.SoftwareUpdater.Main(String[] args)

Cause

More than one FEP 2010 definition update is being detected as active by the tool.

More Information

The FEP 2010 Definition Update Automation tool queries WMI (SELECT * FROM SMS_SoftwareUpdate WHERE ArticleID=2461484 AND IsSuperseded=0 AND IsEnabled=1) to get the single active FEP 2010 definition update. The exception happens as a result of more than one update being returned. The tool may detect more than one update as being active when one of the two conditions is TRUE:

1. One or more FEP 2010 definition updates has been expired but not superseded, OR
2. One or more FEP 2010 definition updates has been orphaned.

To confirm if you’re experiencing condition #1 or #2, run the below WMI query:

SELECT * FROM SMS_SoftwareUpdate WHERE ArticleID=2461484 AND IsSuperseded=0 AND IsEnabled=1 AND IsExpired=0

If the query only returns one row, then you are experiencing condition #1. If two or more rows are returned, you are experiencing condition #2.

Workarounds

Condition #1

If you are experiencing condition #1, you can prevent the symptom by simply adding the /UpdateFilter flag to the command line for the tool (SoftwareUpdateAutomation.exe) with the appropriate values to filter out expired definition updates that are not superseded.

For example:

SoftwareUpdateAutomation.exe /AssignmentName <AssignmentName> /PackageName <DeploymentPkgName> /UpdateFilter “ArticleID=2461484 AND IsSuperseded=0 AND IsEnabled=1 AND IsExpired=0”

Condition #2

If you are experiencing condition #2, you will need to manually decline the orphaned updates via the WSUS administration console. For each update returned from the WMI query that you used to confirm that you have condition #2, double-click on the LocalizedDisplayName property and note the definition version. The update with the highest definition version will be the active one. The update(s) with the lower definition versions have been orphaned.

For example, using the list below, 1.107.713.0 would be the active update and the other two updates are orphaned and would need to be declined manually in WSUS.

Definition Update for Microsoft Forefront Endpoint Protection 2010 - KB2461484 (Definition 1.103.1405.0)
Definition Update for Microsoft Forefront Endpoint Protection 2010 - KB2461484 (Definition 1.105.2231.0)
Definition Update for Microsoft Forefront Endpoint Protection 2010 - KB2461484 (Definition 1.107.713.0)

After you have determined the orphaned update(s) title (and version), load the WSUS snap-in and drill down to the Updates node. On the action pane, click New Update View. Select “Updates are in a specific classification” and “Updates are for a specific product”. In step 2, click any classification and ensure that only Definition Updates is checked. Next click any product and ensure that only Forefront Endpoint Protection 2010 is checked. In step 3, specify a name for the view and click OK.

Locate the created view in the WSUS console. Change the Approval value to "Any Except Declined" and the Status to "Any" and hit Refresh. Click the Title column so that the results are sorted using the version. Find the orphaned update(s) that you identified by version and select the Decline action for each. Once this is complete, you’ll need to wait for the next scheduled Software Update Point (SUP) sync to complete, at which time the updates that you declined will be marked as expired in the ConfigMgr database.

NOTE: Running a manual SUP sync will NOT expire the declined updates. Only a scheduled sync will perform this operation.

Once the sync is complete, you can run the WMI query used to determine condition to confirm that only one row is now returned. You will also need to run the tool going forward using the condition #1 workaround with the /UpdateFilter flag.

Definition Update Automation Tool does not refresh distribution points

Symptoms

The FEP 2010 Definition Update Automation Tool does not refresh distribution points (DPs) by default. Even though the help output for the tool states that /RefreshDP is set by default, it is not.

Workarounds

Add /RefreshDP to the command line for the tool (SoftwareUpdateAutomation.exe). For example:

SoftwareUpdateAutomation.exe /AssignmentName <AssignmentName> /PackageName <DeploymentPkgName> /RefreshDP

by Jeramy Skidmore

You can move the Configuration Manager site database and associated Forefront Endpoint Protection (FEP) databases after setup has completed to a different SQL Server computer system by:

1. Backing up the FEP data warehouse (FEPDW_<sitecode>)
2. Backing up the Configuration Manager Site Database (SMS_<sitecode>)
3. Uninstalling the FEP reporting component
4. Restoring the site database and FEP data warehouse to their new locations
5. Relocating the site database via Configuration Manager setup
6. And then reinstalling the FEP Reporting component

Detailed steps follow.

To move the databases

Important: You will require access to the FEP 2010 installation media in order to successfully complete these steps.

1. Back up the site database on the current site database server and restore it on the new site database server computer using the SQL Server Management Studio. For more information, see How to Move the Site Database.
2. Back up the FEP data warehouse (FEPDW_sitecode) on the current FEP Reporting SQL Server and restore it to the new Reporting SQL Server. (If you have a remote reporting database and are not moving the FEP reporting database, you can skip this step.)

   Note

   Ensure that the database access permissions are the same on the new databases as they are on the original databases.

3. On the site server, in Add/Remove programs, uninstall Microsoft Forefront Endpoint Protection 2010 Reporting.
4. Ensure the primary site server computer account has administrative privileges over the new site database server computer.
5. Close any open Configuration Manager console connections to the site server.
6. On the primary site server computer, use the hierarchy maintenance tool (Preinst.exe) to stop all site services by using the following command: Preinst /stopsite.
7. On the primary site server computer, click Start, click All Programs, click Microsoft System Center, click Configuration Manager 2007, and click ConfigMgr Setup, or navigate to the .\bin\i386 directory of the Configuration Manager 2007 installation media and double-click Setup.exe.
8. Click Next on the Configuration Manager Setup Wizard Welcome page.
9. Click Perform site maintenance or reset this site on the Configuration Manager Setup Wizard Setup Options page.
10. Select Modify SQL Server configuration on the Configuration Manager Setup Wizard Site Maintenance page.
11. Enter the appropriate SQL Server name and instance (if applicable) for the new site database server as well as the site database name on the Configuration Manager Setup Wizard SQL Server Configuration page.
    Configuration Manager Setup performs the SQL Server configuration process.
12. Restart the primary site server computer, and verify the site is functioning normally.
13. On the site server, run serversetup.exe from the FEP installation media.
14. On the Installation Options step, choose Advanced Topology.
15. On the Advanced Toplogy step, ensure that FEP 2010 Reporting and Alerts is selected.
16. On the Reporting Configuration step, provide the proper computer, instance, and database name for your SQL implementation. Ensure the Reuse existing database check box is selected.
17. Proceed through setup. This process will recreate the FEP database alongside the relocated site database, and recreate the SQL jobs necessary to move information from the site database into the FEP databases. The FEPDB will be repopulated according to the information stored in the site database.

Hi folks,

There have been some questions about these two areas of definition updates, so I wanted to clarify this a bit.

Whenever FEP does a definition update, a silent rescan of all running processes and loaded modules is performed. If there is malware running that is now detected by the new definitions, that malware is detected within a few seconds of performing the update. There is no action needed on your part after new definitions are downloaded – this silent rescan happens automatically.

Additionally, the FEP client can be configured to check for definition updates automatically on service start. The behavior is the same as described in Checking for definition updates when starting (yes, that particular blog article deals with FCS, but the FEP behavior is the same). The registry key already exists in the FEP ADMX, which you can download as part of the FEP2010grouppolicytools-<locale>.exe here. For full documentation about all the values in the ADMX, see the FEP ADMX Reference.

Thanks!