[Updated 12/02/2011]
Earlier today we released an updated version (found here ) of the Definition Update Automation Tool for Forefront Endpoint Protection 2010 Update Rollup 1. This document provides steps for how to use this tool.
Important Note : We recommend installing the hotfix here if you are using the Definition Update Automation Tool.
With Forefront Endpoint Protection 2010 Update Rollup 1, you now can deploy Forefront Endpoint Protection definition updates to clients by using the Configuration Manager console. There are multiple definition update releases per day, thus making it time-consuming to manually download and deploy each definition update through the Configuration Manager Console. The Definition Update Automation Tool can be used to automate the steps required to keep a deployment of Forefront Endpoint Protection update definitions up to date. The tool will download the latest definition update and update the specified software update deployment with the latest definition. Configuring this tool to run automatically with Windows Task Scheduler or via a Configuration Manager Status Filter Rule can keep a deployment up to date without continuous and repetitive manual processes.
To learn more about managing software updates click here .
This tool was first released with Forefront Endpoint Protection 2010 Update Rollup 1. This release addresses a number of supportability issues, primarily around logging.
Bug Fixes:
Usage: SoftwareUpdateAutomation.exe parameters
Parameters:
/Help: Get program usage
/SiteServer: Site server computer name
/UpdateFilter: Filter for selecting software updates that are used for the destination packages
/AssignmentName: Name of destination software updates assignment
/PackageName: Name of destination software update package
/DisableRefreshDP: Disable automatic propagation of updated package to Distribution Points
/Verbose: Enable additional logging.
SoftwareUpdateAutomation.exe /AssignmentName FEPDeployment /Package FEP
This example will use local machine as Site Server and use the default UpdateFilter. It will add the latest Forefront Endpoint Protection definition update into Assignment “FEPDeployment” and Package “FEP” and refresh the Distribution Points if any updates were made to the deployment package.
To run this tool, you must copy the binaries to the Admin UI bin folder:
Now you can run this tool manually from a command line, or use Task Scheduler or a Status Filter Rule to run it automatically.
Note: This tool will only download the latest Forefront Endpoint Protection definition update and add it to the existing deployment and package. It will not synchronize the definition update into Configuration Manager. It is still necessary to run software update synchronization to synchronize the latest Forefront Endpoint Protection definition update into the Configuration Manager database before you run this tool. Please refer to How to Configure Software Updates Synchronization( http://technet.microsoft.com/en-us/library/bb632893.aspx ) for information on how to configure the software update synchronization. As a best practice, before you run this tool, always make sure that a scheduled software update synchronization has completed.
/AssignmentName AssignmentName /PackageName PackageName
Where AssignmentName is the name of the software deployment for the definitions which you recorded earlier and PackageName is the name of the software package that contains the definitions which you recorded earlier. Parameters are not case sensitive.
Note: This is the recommended scheduling option as it allows the Definition Update Automation Tool to automatically run after a WSUS synchronization completes successfully.
Sample RunSoftwareUpdateAutomation.bat:
“ <ConfigMgr Install Dir> AdminUIbinSoftwareUpdateAutomation.exe” /AssignmentName ”AssignmentName” /PackageName “PackageName”
Note: It is recommended to put the Definition Update Automation Tool command line in a batch file to prevent problems with the quotes (“).
The status filter Rule runs the tool under the System account. To enable the tool to download, make sure the system account has the appropriate proxy settings. One option to configure the proxy settings for localsystem is to use the BITSAdmin Tool (for more information on the BITSAdmin Tool, click here ).
You can use the command: bitsadmin /util /setieproxy localsystem to set the proxy setting for system account. (eg: bitsadmin /util /setieproxy localsystem myproxy *.mydomain.com)
A proper schedule for software update point synchronization is necessary to keep your Forefront Endpoint Protection clients up-to-date. Below is the recommended setting for these schedules when using this tool:
In the Configuration Manager console, navigate to System Center Configuration Manager / Site Database / Site Management / <site name> / Site Settings / Component Configuration .
Right-click Software Update Point Component , click Properties .
Click Sync Schedule Tab, check Enable Synchronization on a schedule , check Simple schedule and Run every 1 Days.
There are four suggested Configuration Manager and Forefront Endpoint Protection 2010 topologies: See http://technet.microsoft.com/en-us/library/gg412503.aspx . In this section, we will give suggestions on where to run this tool for each topology.
Run this tool on each central site.
Run this tool on each child site. Note: the assignment and package you used for this tool must also be created on child site.
Run this tool on each child site. Note: the assignment and package you used for this tool must also be created on child site.
Run this tool on each child site. Note: the assignment and package you used for this tool must also be created on child site.
SoftwareUpdateAutomation.log will always be the first place to investigate. The log file is located in %ALLUSERSPROFILE%.
You can use the parameter /Verbose to enable verbose logging.
When using Task Scheduler to run the tool, the task must be selected to run as highest privilege. Otherwise, no log file will be created.
Error in SoftwareUpdateAutomation.log |
Possible Reason and Resolution |
Error:Error Downloading SourceURL…… Result: 12007 |
Verify that the proxy is set correctly. If you run the tool with domain user account, check the proxy with command: netsh winhttp show proxy; If you run the tool with system account (eg. You use Status Filter Rule to run the tool), check the proxy with command: bitsadmin /util /getieproxy localsystem. |
Cannot find the log |
The log is under %ProgramData% folder; If you run it on Windows 2003 Server, there is no %ProgramData% environment variable. You can always use %ALLUSERSPROFILE% to access the folder contains the log file. If you run the tool with a Task Sequence ensure that the user account used to run the tool has permission to create the log under that folder (and run as highest privilege is selected). Make sure the command line parameters are set correctly; otherwise no log will be created. |
-- Jason Lewis
This posting is provided "AS IS" with no warranties and confers no rights.