[Updated 12/02/2011]

Earlier today we released an updated version (found here) of the Definition Update Automation Tool for Forefront Endpoint Protection 2010 Update Rollup 1.  This document provides steps for how to use this tool.

Important Note: We recommend installing the hotfix here if you are using the Definition Update Automation Tool.

Tool Description

With Forefront Endpoint Protection 2010 Update Rollup 1, you now can deploy Forefront Endpoint Protection definition updates to clients by using the Configuration Manager console. There are multiple definition update releases per day, thus making it time-consuming to manually download and deploy each definition update through the Configuration Manager Console. The Definition Update Automation Tool can be used to automate the steps required to keep a deployment of Forefront Endpoint Protection update definitions up to date. The tool will download the latest definition update and update the specified software update deployment with the latest definition. Configuring this tool to run automatically with Windows Task Scheduler or via a Configuration Manager Status Filter Rule can keep a deployment up to date without continuous and repetitive manual processes.

To learn more about managing software updates click here.

Changes since the Last Release

This tool was first released with Forefront Endpoint Protection 2010 Update Rollup 1. This release addresses a number of supportability issues, primarily around logging. 

Bug Fixes:

• Removal of /RefreshDP switch, add new switch: /DisableRefreshDP
• Improved logic to skip updating the deployment package if no content change was detected
• Corrected the default update filter string so it will not retrieve superseded updates and enables functionality when custom updates published by System Center Update Publisher are present

Command line Usage

Command line usage

Usage: SoftwareUpdateAutomation.exe parameters

Parameters:

/Help: Get program usage

/SiteServer: Site server computer name

/UpdateFilter: Filter for selecting software updates that are used for the destination packages

/AssignmentName: Name of destination software updates assignment

/PackageName: Name of destination software update package

/DisableRefreshDP: Disable automatic propagation of updated package to Distribution Points

/Verbose: Enable additional logging.

Example command line

SoftwareUpdateAutomation.exe /AssignmentName FEPDeployment /Package FEP

This example will use local machine as Site Server and use the default UpdateFilter. It will add the latest Forefront Endpoint Protection definition update into Assignment “FEPDeployment” and Package “FEP” and refresh the Distribution Points if any updates were made to the deployment package.

How to use this tool

To run this tool, you must copy the binaries to the Admin UI bin folder:

• <ConfigMgr Install Dir>\AdminUI\bin

 Now you can run this tool manually from a command line, or use Task Scheduler or a Status Filter Rule to run it automatically.

Note: This tool will only download the latest Forefront Endpoint Protection definition update and add it to the existing deployment and package. It will not synchronize the definition update into Configuration Manager. It is still necessary to run software update synchronization to synchronize the latest Forefront Endpoint Protection definition update into the Configuration Manager database before you run this tool. Please refer to How to Configure Software Updates Synchronization(http://technet.microsoft.com/en-us/library/bb632893.aspx) for information on how to configure the software update synchronization.  As a best practice, before you run this tool, always make sure that a scheduled software update synchronization has completed.

How to Use Definition Update Automation Tool with Task Scheduler

1. Start Task Scheduler, and in the Actions pane, click Create Task.
2. In the Create Task dialog box, give the task a name, and then, under Security Options, make sure that the user account specified has the appropriate Configuration Manager permissions to update the definition package and definition assignment specified in the command line. To make sure the program has the right to create log under %ProgramData%, check Run with highest privileges.
3. On the Actions tab, click New, and in the New Actiondialog box, specify the following command line to run:
   • <ConfigMgr Install Dir>\AdminUI\bin\SoftwareUpdateAutomation.exe
4. In the Add arguments text box, enter the following arguments and then click OK:
   

   /AssignmentName AssignmentName /PackageName PackageName

   Where AssignmentName is the name of the software deployment for the definitions which you recorded earlier and PackageName is the name of the software package that contains the definitions which you recorded earlier. Parameters are not case sensitive.

5. On the Triggers tab, click New.
6. In the New Trigger dialog box, under Settings, select Daily.
7. Under Advanced settings, select the check box for Repeat task every, in the list click 8 hour, and then next to for a duration of, click Indefinitely.
8. In the New Trigger dialog box, click OK, and then in the Create Task dialog box, click OK.

How to Use Definition Update Automation Tool with Status Filter Rule

Note: This is the recommended scheduling option as it allows the Definition Update Automation Tool to automatically run after a WSUS synchronization completes successfully.

1. In the Configuration Manager console, navigate to System Center Configuration Manager / Site Database / Site Management / <site name> / Site Settings / Status Filter Rules.
2. Right-click Status Filter Rules, click New, and then click New Status Filter Rule.
3. On the General page of the New Status Filter Rule Wizard, specify a name for the new status filter rule and configure the following for the message-matching criteria:
   • Set Source: Configuration Manager Server
   • Component: SMS_WSUS_SYNC_MANAGER
   • Message ID: 6702
4. On the Actions page of the New Status Filter Rule Wizard, specify the following action:

• Run a program
• Program: <ConfigMgr Install Dir>\AdminUI\bin\RunSoftwareUpdateAutomation.bat

Sample RunSoftwareUpdateAutomation.bat:

“<ConfigMgr Install Dir>\AdminUI\bin\SoftwareUpdateAutomation.exe” /AssignmentName ”AssignmentName” /PackageName “PackageName”

Note: It is recommended to put the Definition Update Automation Tool command line in a batch file to prevent problems with the quotes (“).

The status filter Rule runs the tool under the System account. To enable the tool to download, make sure the system account has the appropriate proxy settings.   One option to configure the proxy settings for localsystem is to use the BITSAdmin Tool (for more information on the BITSAdmin Tool, click here).

You can use the command: bitsadmin /util /setieproxy localsystem to set the proxy setting for system account. (eg: bitsadmin /util /setieproxy localsystem myproxy *.mydomain.com)

More information about scheduling

A proper schedule for software update point synchronization is necessary to keep your Forefront Endpoint Protection clients up-to-date. Below is the recommended setting for these schedules when using this tool:

1.  Software update point synchronization to run every day.

   In the Configuration Manager console, navigate to System Center Configuration Manager / Site Database / Site Management / <site name> / Site Settings / Component Configuration.

   Right-click Software Update Point Component, click Properties.

   Click Sync Schedule Tab, check Enable Synchronization on a schedule, check Simple schedule and Run every 1 Days.

2. Configure Definition Update Automation Tool to run every time software update point synchronization succeedes as described above in “How to Use Definition Update Automation Tool with Status Filter Rule”.

 Additional considerations

There are four suggested Configuration Manager and Forefront Endpoint Protection 2010 topologies: See http://technet.microsoft.com/en-us/library/gg412503.aspx. In this section, we will give suggestions on where to run this tool for each topology.

• Centralized policy control and centralized Forefront Endpoint Protection administration

Run this tool on each central site.

• Centralized policy control and decentralized Forefront Endpoint Protection administration

Run this tool on each child site. Note: the assignment and package you used for this tool must also be created on child site.

• Decentralized policy control and decentralized Forefront Endpoint Protection administration

Run this tool on each child site. Note: the assignment and package you used for this tool must also be created on child site.

• Decentralized policy control and Forefront Endpoint Protection administration with centralized Forefront Endpoint Protection reporting

Run this tool on each child site. Note: the assignment and package you used for this tool must also be created on child site.

Trouble-shooting

SoftwareUpdateAutomation.log will always be the first place to investigate. The log file is located in %ALLUSERSPROFILE%.

You can use the parameter /Verbose to enable verbose logging.

When using Task Scheduler to run the tool, the task must be selected to run as highest privilege. Otherwise, no log file will be created.

Common Errors and Potential Workarounds

How to Configure Configuration Manager for Forefront Endpoint Protection Update and Create Deployment Package and Assignment

1. If needed, install Windows Server Update Services by using Server Manager. For more information, see How to Install Windows Server Update Services 3.0 in the Configuration Manager library on TechNet.
2. If needed, add the software update point site system role to your Configuration Manager environment. For more information about how to add the software update point site system role, see How to Add the Software Update Point Site Role to a Site System in the Configuration Manager library on TechNet.
3. Configure software updates to download the appropriate updates, and configure the synchronization schedule. For steps on configuring the software updates site system role, see How to Configure Software Updates Synchronization in the Configuration Manager library on TechNet.  When you configure software updates, ensure the following items are selected:
   • On the Classifications tab, select Definition Updates.
   • On the Products tab, select Microsoft Forefront Endpoint Protection 2010.
4. Create Deployment Package and Assignment
• In the Configuration Manager console, navigate to System Center Configuration Manager / Site Database / Computer Management / Software Updates / Update Repository/Definition Updates/Microsoft/Microsoft Forefront Endpoint Protection 2010
• In the details pane, click the most recent active Forefront Endpoint Protection 2010 definition update (represented by a green icon),and then click Download Software Updates.
• Create the definition update deployment package by completing the Download Updates Wizard for the selected update. When completing the wizard, ensure the following:
  
      On the Deployment Package page, in the Package Source text box, specify a shared folder with permissions appropriate for software distribution in your organization.
      Make note of the name you give this software package; you need this name for the PackageName parameter for the definition update automation tool, which is configured in a later step.
  
• When finished with the Download Updates Wizard, click Finish.
  
• In the details pane, click the same Forefront Endpoint Protection 2010 definition update from step 2, and then click Deploy Software Updates.
• Deploy the definition updates by completing the Deploy Software Updates Wizard. When completing the wizard, ensure the following:
  
      On the General page, specify a name for the software deployment. Make note of this name; you need this name for the AssignmentName parameter for the definition update automation tool, which is configured in a later step.
      On the Deployment Template page, select Create a new deployment definition.
      On the Collection page, click Browse and then select the target collection.
      On the Display/Time Settings page, set the Duration to 2 hours, and if you want users to not be notified that an update is available, select Suppress display notifications on clients.
      On the Create Template page, specify a name for the template.
      On the Schedule page, select As soon as possible. If you selected to suppress display notifications, verify that Set a deadline for software update installation is selected, and verify the deadline time.
      When finished with the Deploy Software Updates Wizard, click Finish.

--Jason Lewis

This posting is provided "AS IS" with no warranties and confers no rights.

The Documentation library for System Center 2012 Configuration Manager has been updated on the web and the latest content has Updated: October 1, 2011 at the top of the topic.

There are no significant updates for the Configuration Manager 2007 documentation library this month.

We’ve been very busy this month, updating the library for the new System Center 2012 branding, publishing information about System Center 2012 Endpoint Protection, and the Package Conversion Manager feature pack, and updating all the docs so that you have the latest information when you download the Release Candidate.

We will continue to add more information for Configuration Manager as we get that information from the product group and in response to customer feedback. At the moment, some topics are published without any content to let you know that it’s planned – but the number of empty topics are now very few! We’ve been working on the topics that we see are being requested by customers. To help you find the right information, use the Configuration Manager 2012 search portal.

Note that we are writing for the released product, rather than for any prerelease version, such as Beta 2 or the Release Candidate. As such, there might be some discrepancies with the prerelease version that you are testing and the documentation.

We value customer feedback and try to incorporate it when possible. Although we can’t promise to make the docs perfect for everybody, we are committed to continual improvement. So, keep that feedback coming, and feel free to contact us about anything related to the documentation by using our usual address of SMSDocs@Microsoft.com.

What's New in the Documentation Library for System Center 2012 Configuration Manager for October 2011

The following information lists the topics that contain significant changes since the September 2011 update.

Supported Configurations for Configuration Manager

– Updated for support statements that were previously published on the Microsoft Connect site.

What’s New in Configuration Manager

– The Client Deployment and Operations section is updated for Remote Control and Endpoint Protection.

Introduction to Site Administration in Configuration Manager

– New topic for overview information about how to plan, deploy, configure, and maintain a Configuration Manager hierarchy.

Planning for Discovery in Configuration Manager

– Updated for new information about Active Directory forest discovery.

Planning for Site Systems in Configuration Manager

– Updated for site system role placement and planning considerations.

Planning for Security in Configuration Manager

– Updated for the section Planning a Transition Strategy for PKI Certificates and Internet-Based Client Management.

Planning for Site Operations in Configuration Manager

– Updated for backup and recovery information.

Prepare the Windows Environment for Configuration Manager

– Updated for information about extending the Active Directory schema for Configuration Manager and setting security permissions so that sites can publish to Active Directory Domain Service, and how to configure IIS for site system roles.

Install Sites and Create a Hierarchy for Configuration Manager

– Updated for Setup information.

Configuring Discovery in Configuration Manager

– Updated for how to configure Active Directory Forest Discovery.

Configuring Settings for Client Management in Configuration Manager

– Updated for how to configure maintenance windows, the implications of multiple maintenance windows, and how these work with Software Center.

Backup and Recovery in Configuration Manager

– Updated for information about how to backup and recover a site.

Reporting in Configuration Manager

– This section has been updated throughout for reporting information.

Security and Privacy for Site Administration in Configuration Manager

– Updated for security best practices related to site administration and privacy information for Discovery.

Technical Reference for Log Files in Configuration Manager

– Updated for the log files that are created by Configuration Manager. We will continue to update this topic when the information becomes available.

Security and Privacy for Migration to System Center 2012 Configuration Manager

– New topic that lists security best practices and issues, and privacy information for when you migrate from Configuration Manager 2007 to System Center 2012 Configuration Manager.

Prerequisites for Client Deployment in Configuration Manager

– Updated for Prerequisites for Mobile Device Clients.

Security and Privacy for Clients in Configuration Manager

– Updated for security and privacy information for clients and mobile devices that are managed by the Exchange Server connector, and privacy information.

About Client Settings in Configuration Manager

– Updated to reflect the latest client settings options.

Introduction to Application Management in Configuration Manager

– Updated for additional information, which includes simulated deployments and supersedence.

How to Simulate an Application Deployment in Configuration Manager

– New topic that provides information about how to use the new simulated deployment option.

How to Use Application Supersedence in Configuration Manager

– New topic that provides information about how to use the new supersedence option.

How to Create Applications in Configuration Manager

- Updated for procedural information.

How to Create Deployment Types in Configuration Manager

- Updated for procedural information.

How to Deploy Applications in Configuration Manager

- Updated for procedural information.

Security and Privacy for Application Management in Configuration Manager

– Updated for security and privacy information for application management and the Application Catalog.

How to Enable CRL Checking for Software Updates

– New topic that provides information about how to enable certificate revocation checking in the Configuration Manager console for when you download software updates.

Security and Privacy for Software Updates in Configuration Manager

– Updated for security and privacy information for software updates.

Security and Privacy for Deploying Operating Systems in Configuration Manager

– Updated for security and privacy information for operating system deployment.

How to Create Collections in Configuration Manager

– Updated procedural information.

How to Use Maintenance Windows in Configuration Manager

– Updated procedural information.

Security and Privacy for Collections in Configuration Manager

– Updated for security and privacy information for collections.

Security and Privacy for Queries in Configuration Manager

– Updated for security and privacy information for queries.

How to Configure Software Inventory in Configuration Manager

– Updated for how to configure software inventory.

How to Use Resource Explorer to View Software Inventory in Configuration Manager

– Updated for how to use Resource Explorer.

Power Management in Configuration Manager

– This section is updated throughout.

Best Practices for Out of Band Management in Configuration Manager

– New topic that lists some operational best practices for when you manage Intel AMT-based computers out of band.

Endpoint Protection in Configuration Manager

– New section that introduces Endpoint Protection how to plan, configure, and use it.

What’s New in the Documentation for Configuration Manager

– Updated for the new Security and Privacy guide and a link to the new glossary.

Frequently Asked Questions for Configuration Manager

– Updated for new questions that include:

• How can I avoid redistributing content that I migrate to System Center 2012 Configuration Manager?
• Can I combine more than one Configuration Manager 2007 hierarchy in a single System Center 2012 Configuration Manager hierarchy?
• Will advertisements rerun after they are migrated?
• What improvements have you made for Internet-based client management?
• Do I have to begin using System Center 2012 Configuration Manager applications immediately after migrating from Configuration Manager 2007?
• What is the quick guide to installing the Application Catalog?
• Can I use update lists in System Center 2012 Configuration Manager?
• Does System Center 2012 Configuration Manager have automatic approval rules like Windows Server Update Services (WSUS)?
• What is a limiting collection and why would I use it?
• Can I include or exclude the members of another collection from my collection?

Configuration Manager Package Conversion Manager (Prerelease)

– New section that provides information about this new feature pack that allows you to convert packages from Configuration Manager 2007 into application for System Center 2012 Configuration Manager.

-- The Configuration Manager Writing Team

This posting is provided "AS IS" with no warranties and confers no rights.

The release candidates for System Center 2012 Configuration Manager and System Center 2012 Endpoint Protection are now available on the Microsoft Download Center.  In case you missed it, the release announcement describing the features of the release candidate can be viewed here.   You will find pre-release documentation in our Technet Library here.

We encourage all our readers to download and evaluate these releases and provide feedback through our Community Evaluation Program (CEP).

--Yvette O’Meally

This posting is provided "AS IS" with no warranties, and confers no rights.