none
Forefront Client Security and Faronics DeepFreeze

    General discussion

  • Hi All,

    I work for a technical college that has about 1500 lab computers where we use a product called DeepFreeze to keep the machines in a consistent state. We are in the process of implementing Microsoft Forefront Client Security and ran into a snag. DeepFreeze runs a maintenance cycle (during which time changes to the hard drive stick) once a week in which the DF client runs Windows Updates during that time frame. We have Forefront Definitions being sent out via WSUS with the expectation that these lab machines would get the updated definitions during the DeepFreeze maintenance cycle. Unfortunately the Forefront Def Updates are not being installed. WindowsUpdates.log shows no applicable updates are being found. Faronics tells me that DeepFreeze will only install approved critical updates, and they believe the Forefront Def Updates are not being classified as "Critical," thus not being installed.

    I'm curious if anyone else is using DeepFreeze and Microsoft Forefront and how you are currently handling your environment.

    Also, if someone knows what Forefront Def Updates are actually classified as in WSUS, that would be helpful too.

    Thanks,
    Justin

    Wednesday, April 21, 2010 10:49 PM

All replies

  • MSRC Severity on definitions = Unspecified as they do not fall under security hotfix guidelines.

    What I would probably recommend is scheduling a signature update to happen at this 1 hour maintenance time.  You can use the mpcmdrun signatureupdate command to do this and create a scheduled task for it.  Check this post out http://blogs.technet.com/kfalde/archive/2008/10/23/how-to-add-extra-scheduled-scans-or-definition-updates-for-fcs.aspx for some ideas.  That or you could via FCS policies do something like schedule a quick scan right at that time and define in policy that clients update signature when scans are performed.


    CSS Security Support Engineer (FCS/MBSA/WUA/Incident Response) Check out my blog http://blogs.technet.com/kfalde
    Monday, April 26, 2010 8:04 PM
    Moderator
  • Hi Justin,

    Also running Deepfreeze and FCS here (also at a college), did you manage to find a work around for getting the Forefront updates on during maintenance periods?

     

    Rob

    Thursday, August 19, 2010 10:29 AM
  • Hi Rob-M,

    I forgot about this thread...
    Yes, we did come up with a solution to our def updating problem. We switched from using the "Windows Update" option during maintenance to the "Run Batch File" during maintenance. I created a batch file that runs a gpupdate /force, creates a "Big Red Button" VBscript, runs the script, then deletes it. I modified a VBscript I found (http://redmondmag.com/Articles/2007/09/01/Whassup-with-WSUS.aspx?Page=2) which didn't work right out the box. The VBscript checks for, downloads, and installs any approved Windows Updates from the assigned Windows Update source, which we assign our WSUS server via Group Policy. The script then reboots the workstation if any of the updates it installed require a reboot. I don't like using "On Error Resume Next" in my VBscripts, but the script would fail at the "objAutomaticUpdates.DetectNow" line on random machines. The "On Error Resume Next" allows the script to continue even if that command fails. I put the gpupdate /force at the beginning so that any GP changes that were made will get "stuck" while the machines are thawed. Also it would be required if the WSUS server(s) changed...

    The modified vbs file that the batch script creates, runs, then deletes is a s follows:

    '==========================================================================
    '
    ' SCRIPT NAME: DFWSUSUpdates.vbs
    ' DISCRIPTION: Checks for, downloads, and installs Windows Updates from WSUS
    '
    '   AUTHOR: Justin Jahns
    '    DATE: 6/2/2010
    '
    '   Source: http://redmondmag.com/Articles/2007/09/01/Whassup-with-WSUS.aspx?Page=2
    '
    '==========================================================================
    On Error Resume Next
    
    Set fso = CreateObject("Scripting.FileSystemObject")
    Set objAutomaticUpdates = CreateObject("Microsoft.Update.AutoUpdate")
    objAutomaticUpdates.EnableService
    objAutomaticUpdates.DetectNow
    
    Set objSession = CreateObject("Microsoft.Update.Session")
    Set objSearcher = objSession.CreateUpdateSearcher()
    Set objResults = objSearcher.Search("IsInstalled=0 and Type='Software'")
    Set colUpdates = objResults.Updates
    
    Set objUpdatesToDownload = CreateObject("Microsoft.Update.UpdateColl")
    intUpdateCount = 0
    For i = 0 to colUpdates.Count - 1
     intUpdateCount = intUpdateCount + 1
     Set objUpdate = colUpdates.Item(i)
     objUpdatesToDownload.Add(objUpdate)
    Next
    
    If intUpdateCount = 0 Then
     WScript.Quit
    Else
     Set objDownloader = objSession.CreateUpdateDownloader()
     objDownloader.Updates = objUpdatesToDownload
     objDownloader.Download()
    
     Set objInstaller = objSession.CreateUpdateInstaller()
     objInstaller.Updates = objUpdatesToDownload
     Set installationResult = objInstaller.Install()
    
     Set objSysInfo = CreateObject("Microsoft.Update.SystemInfo")
     If objSysInfo.RebootRequired Then
     Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate,(Shutdown)}!\\localhost\root\cimv2")
     Set colOperatingSystems = objWMIService.ExecQuery("Select * from Win32_OperatingSystem")
     For Each objOperatingSystem in colOperatingSystems
      objOperatingSystem.Reboot()
     Next
     End If
    End If

    The complete batch file that I use is as follows:

    gpupdate /force
    
    > "%Temp%\DFWSUSUpdates.vbs" ECHO '==========================================================================
    >>"%Temp%\DFWSUSUpdates.vbs" ECHO '
    >>"%Temp%\DFWSUSUpdates.vbs" ECHO ' SCRIPT NAME: DFWSUSUpdates.vbs
    >>"%Temp%\DFWSUSUpdates.vbs" ECHO ' DISCRIPTION: Checks for, downloads, and installs Windows Updates from WSUS
    >>"%Temp%\DFWSUSUpdates.vbs" ECHO '
    >>"%Temp%\DFWSUSUpdates.vbs" ECHO '   AUTHOR: Justin Jahns
    >>"%Temp%\DFWSUSUpdates.vbs" ECHO '    DATE: 6/2/2010
    >>"%Temp%\DFWSUSUpdates.vbs" ECHO '
    >>"%Temp%\DFWSUSUpdates.vbs" ECHO '   Source: http://redmondmag.com/Articles/2007/09/01/Whassup-with-WSUS.aspx?Page=2
    >>"%Temp%\DFWSUSUpdates.vbs" ECHO '
    >>"%Temp%\DFWSUSUpdates.vbs" ECHO '==========================================================================
    >>"%Temp%\DFWSUSUpdates.vbs" ECHO On Error Resume Next
    >>"%Temp%\DFWSUSUpdates.vbs" ECHO.
    >>"%Temp%\DFWSUSUpdates.vbs" ECHO Set fso = CreateObject("Scripting.FileSystemObject")
    >>"%Temp%\DFWSUSUpdates.vbs" ECHO Set objAutomaticUpdates = CreateObject("Microsoft.Update.AutoUpdate")
    >>"%Temp%\DFWSUSUpdates.vbs" ECHO objAutomaticUpdates.EnableService
    >>"%Temp%\DFWSUSUpdates.vbs" ECHO objAutomaticUpdates.DetectNow
    >>"%Temp%\DFWSUSUpdates.vbs" ECHO.
    >>"%Temp%\DFWSUSUpdates.vbs" ECHO Set objSession = CreateObject("Microsoft.Update.Session")
    >>"%Temp%\DFWSUSUpdates.vbs" ECHO Set objSearcher = objSession.CreateUpdateSearcher()
    >>"%Temp%\DFWSUSUpdates.vbs" ECHO Set objResults = objSearcher.Search("IsInstalled=0 and Type='Software'")
    >>"%Temp%\DFWSUSUpdates.vbs" ECHO Set colUpdates = objResults.Updates
    >>"%Temp%\DFWSUSUpdates.vbs" ECHO.
    >>"%Temp%\DFWSUSUpdates.vbs" ECHO Set objUpdatesToDownload = CreateObject("Microsoft.Update.UpdateColl")
    >>"%Temp%\DFWSUSUpdates.vbs" ECHO intUpdateCount = 0
    >>"%Temp%\DFWSUSUpdates.vbs" ECHO For i = 0 to colUpdates.Count - 1
    >>"%Temp%\DFWSUSUpdates.vbs" ECHO intUpdateCount = intUpdateCount + 1
    >>"%Temp%\DFWSUSUpdates.vbs" ECHO Set objUpdate = colUpdates.Item(i)
    >>"%Temp%\DFWSUSUpdates.vbs" ECHO objUpdatesToDownload.Add(objUpdate)
    >>"%Temp%\DFWSUSUpdates.vbs" ECHO Next
    >>"%Temp%\DFWSUSUpdates.vbs" ECHO.
    >>"%Temp%\DFWSUSUpdates.vbs" ECHO If intUpdateCount = 0 Then
    >>"%Temp%\DFWSUSUpdates.vbs" ECHO WScript.Quit
    >>"%Temp%\DFWSUSUpdates.vbs" ECHO Else
    >>"%Temp%\DFWSUSUpdates.vbs" ECHO Set objDownloader = objSession.CreateUpdateDownloader()
    >>"%Temp%\DFWSUSUpdates.vbs" ECHO objDownloader.Updates = objUpdatesToDownload
    >>"%Temp%\DFWSUSUpdates.vbs" ECHO objDownloader.Download()
    >>"%Temp%\DFWSUSUpdates.vbs" ECHO.
    >>"%Temp%\DFWSUSUpdates.vbs" ECHO Set objInstaller = objSession.CreateUpdateInstaller()
    >>"%Temp%\DFWSUSUpdates.vbs" ECHO objInstaller.Updates = objUpdatesToDownload
    >>"%Temp%\DFWSUSUpdates.vbs" ECHO Set installationResult = objInstaller.Install()
    >>"%Temp%\DFWSUSUpdates.vbs" ECHO.
    >>"%Temp%\DFWSUSUpdates.vbs" ECHO Set objSysInfo = CreateObject("Microsoft.Update.SystemInfo")
    >>"%Temp%\DFWSUSUpdates.vbs" ECHO If objSysInfo.RebootRequired Then
    >>"%Temp%\DFWSUSUpdates.vbs" ECHO  Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate,(Shutdown)}!\\localhost\root\cimv2")
    >>"%Temp%\DFWSUSUpdates.vbs" ECHO  Set colOperatingSystems = objWMIService.ExecQuery("Select * from Win32_OperatingSystem")
    >>"%Temp%\DFWSUSUpdates.vbs" ECHO  For Each objOperatingSystem in colOperatingSystems
    >>"%Temp%\DFWSUSUpdates.vbs" ECHO  objOperatingSystem.Reboot()
    >>"%Temp%\DFWSUSUpdates.vbs" ECHO  Next
    >>"%Temp%\DFWSUSUpdates.vbs" ECHO End If
    >>"%Temp%\DFWSUSUpdates.vbs" ECHO End If
    
    cscript "%temp%\DFWSUSUpdates.vbs"
    
    del "%temp%\DFWSUSUpdates.vbs"

     

    Also, If you looking for a way to manually install WSUS updates on machines (not related to DF) take a look at my posting entitled "WSUS "Big Red Button" VBScript Not Working" (http://social.technet.microsoft.com/Forums/en-US/winserverwsus/thread/b1452d6b-4925-48c4-9113-d2c71bbf07db)

    I hope these come in handy for someone :)

    Justin

    Thursday, August 19, 2010 1:17 PM
  • Thanks for the prompt reply Justin, looks like this could be very useful to us.

    Rob

    Friday, August 20, 2010 8:34 AM
  • Have you guys had any difficulty with this problem?

    We run DeepFreeze in our labs as well.  Today we booted in Thawed mode so we could run system updates.  After the updates the computers prompted us to Restart.  We did.

    Now we are in an endless loop where DeepFreeze re-froze itself but "Windows 7 Service Pack 1" is installing -- and after it installs "Stage 1 of 2" it restarts... and installs "Stage 1 of 2"... then installs "Stage 1 of 2"... then installs "Stage 1 of 2"... then (etc.).

    We can't get it to run in thawed mode to complete the install and we also can't get the Service Pack to cancel because Deep Freeze keeps resetting anything we change.

    I'm at a loss here, but we have students coming in tomorrow morning for computer science courses... and we will be without computers.  :/

    ANY help is appreciated.

    Robert


    ~ Robert Griffith
    Monday, April 04, 2011 1:55 AM
  • Today we booted in Thawed mode so we could run system updates.

    When you thawed your lab(s), I'm assuming you choose the "Boot Thawed on Next 1 Restarts" option.
    We never use this option for this exact reason... You never know what applications/updates/setting changes will need a restart, or even multiple restarts as in the case with Windows 7 SP1.

    The only thing I could guess is trying to boot into safe mode (pressing F8 right before Windows boots)... Thawing the machines from there.

    Otherwise your going to need to contact Faronics to see if their is a way to disable DF before Windows boots.

    Good Luck!
    Justin

    Monday, April 04, 2011 2:26 PM
  • Hey There,

    did you find a way out of this deadlock? I have exactly the same problem. Update Loop...Rebooting and Updating Registry before Windows comes finally up. Using DeepFreeze with Windows 7and now I cannot go into Thawed Mode.

    If you'd come back and tell me what you did it would be highly appreciated

    Best

    Justin

    Monday, April 18, 2011 10:42 AM
  • This may be posted elsewhere but this is what we did when we had the above issues involving Windows Update, Windows 7 and DeepFreeze:

    1. During boot press F8 to bring up Advanced Boot Options

    2. Select 'Repair Your Computer'

    3. Hit Next to select US Keyboard

    4. Enter admin password

    5. Open Command Prompt

    6. Go to the Windows Partition (not the System Reserved one) , type the following into the command prompt

     

    cd\windows\system32\drivers

    ren DeepFrz.sys DeepFrz.sy_

    exit

     

    7. Restart

    8. Allow computer to boot normally, will appear to run updates as before and will restart on its own

    9. Allow computer to boot normally, this time it should reach the Windows 7 Enterprise screen and say 'Configuring Updates'

    10. Eventually it will say 'Press Ctrl-Alt-Del to logon', however mouse and keyboard will be nonfunction

    11. Press power button to shutdown PC

    12. Repeat steps 1-5
    13. Open Command Prompt, and type the following

     

    cd\windows\system32\drivers

    ren DeepFrz.sy_ DeepFrz.sys

    exit

     

    14. Restart

     

    Wednesday, June 08, 2011 2:46 PM
  • renaming d e e p f r z . sys with d e e p f r z . sy_ wont work on 7.20 

    windows wont continue after windows logo, it will immediately reboot the computer

    Thursday, March 08, 2012 2:44 AM
  • I have had the same problem. only clean way was to re-image the machine.

    What is hapenping is that when a W7 Machine goes out and gets updates it normally takes a reboot to install them.  So what is happening is that.

    A Machine is woken up at or just before a scheduled maintenance window (for us 1-4a)
    Deep Freeze boots them into thaw mode.
    The machine goes out and gets the updates from MS as well as the kms keys.
    The machine then reboots to a frozen state.
    here is the problem. Windows 7 wants to install the updates on the reboot (now you are in a Frozen state and the updates cannot take. I have had updates saying something like 2000 updates to be installed.
    What needs to happened is that the machine needs to be rebooted a 2<sup>nd</sup> time to make sure that all updates are fully installed.  I chose to do all updates in my labs (about 450 computers total at 4 different sites across town up to 20 miles away.

    I image my labs and the end of every semester or when new software comes in.

    The problem here is how you know when to reboot the computer after updates.
    If MS released a big update and one slipped thru you could possibly ruin the lab or labs.

    Job security right? 


    Tuesday, July 31, 2012 3:20 PM
  • Note that the script that I provided above automatically reboots the workstation if any of the updates it installed requires a reboot. Thus, this reboot happens while the workstation is still in the maintenance cycle (thawed). My script has been working flawlessly in our environment (~1500 lab computers) for several years now. In theory, the only time we would have a problem is when an update requires two reboots, which could be the case with a service pack, thus why we don't push service packs via WSUS.

    Justin

    Tuesday, July 31, 2012 4:14 PM