none
FCS Installs Definitions Updates anytime , Irregardless of GPO instructing it to do otherwise.

    Question

  • Okay , here is the Rub

       We have WSUS pulling down Definition updates for the Forefront server , but the problem I am seeing is that the updates happen at anytime.  We have a SET GPO for the updates to go off at NOON if its deemed critical.  But for teh last 3 days at 4pm the Anti-malware just send the Definition to user Systems and begins to install it. Totally Ignoring the GPO about WSUS updates.  

    We recently patched WSUS to the Newest Service pack.    Could that have caused these Gremlins.
    Thursday, August 27, 2009 9:14 PM

Answers

  • I'm guessing you mean the clients update their definitions at any time?  This would depend on what you have for client settings in your policies.  If you tell the clients to check for definition updates via FCS policy they are not constrained by any WSUS policies.  The call from FCS to check for definition updates is a WUA API call that uses the WUA client / WSUS however does this based on the interval settings from FCS NOT from WSUS client GPO settings.
    CSS Security Support Engineer (FCS/MBSA/WUA/Incident Response) Check out my blog http://blogs.technet.com/kfalde
    Monday, August 31, 2009 2:07 PM

All replies

  • Hi,

     

    Thank you for your post.

     

    Before going any further, would you please tell us how do you deploy the updates via GPO?

     

    Meanwhile, you may refer to the following article to correct your settings.

    http://technet.microsoft.com/en-us/library/dd185652.aspx

     

    Regards,


    Nick Gu - MSFT
    Monday, August 31, 2009 6:47 AM
  • I'm guessing you mean the clients update their definitions at any time?  This would depend on what you have for client settings in your policies.  If you tell the clients to check for definition updates via FCS policy they are not constrained by any WSUS policies.  The call from FCS to check for definition updates is a WUA API call that uses the WUA client / WSUS however does this based on the interval settings from FCS NOT from WSUS client GPO settings.
    CSS Security Support Engineer (FCS/MBSA/WUA/Incident Response) Check out my blog http://blogs.technet.com/kfalde
    Monday, August 31, 2009 2:07 PM
  • And just too add to the other comments...
    If you have the policy "Allow Automatic Updates immediate installation" the definitions will install as soon as they are detected as needed.
    That is really the best configuration in almost all cases since the definition will not require the service to restart.

    -Eddie
    Wednesday, September 02, 2009 12:00 AM
  • wow alot has happened since this Thread.  And I have read each one.  There were several things working the nerves here.

    1st and foremost was the misunderstanding that FCS is contrained by WSUS (which I now know is Wrong)

    everything else just came from that one realization ...

    Thank you very much for that one.

     Namaste.
    Monday, October 05, 2009 3:28 PM
  • Is there any way to check for definition updates more than once per hour?
    Thursday, February 16, 2012 11:40 PM