We are testing Forefront Endpoint Protection 2010, and I am having issues after the client is installed to get it to go out and get the latest definition updates from SCCM.
The FEP client installs from SCCM via a custom script that first installs the FEP client (with the policy script that tells the client to look at SCCM and MS Update for Defintion Updates), and then manually installs definitions with an exe that I have in the package. The reason I need to install definitions manually is because I've found that until the client has some set of definitions, it will not use any policy that I deploy to the machine either through SCCM or in the initial install. The problem comes in when the client automatically tries to look at Windows Update for the latest definitions. In our environment many users will not have internet access to get these updates, so it fails. Plus since we have SCCM in place, I would want it to pull from there internally instead of using the Internet. I have found that if I kill MpCmdRun.exe at that point, it stops the search; but I'm wondering how I can tell the client to look at SCCM for updates at that point. It normally does this on the interval we set the client to update (8 hours), but I want it to have the latest definitions when it is installed. The button itself always looks at Microsoft as well, which is probably a separate question altogether, and I'm not sure if there is a way to get that to look at SCCM instead of Windows Update. WSUS is not an option.
I'm thinking there has to be a command that I can run that the client is normally using to query SCCM for latest definitions. (NOTE: To keep the definitions updated in SCCM we are using the softwareupdateautomation.exe that updates the deployment which is deployed to these machines).
Any help would be appreciated.
Unfortunately, there is no way for the FEP client to initiate a definition update from SCCM. Since the FEP udpate package is a regular software update package, the only way for it to be installed is for the SCCM client to initiate a software updates scan, see that the update is needed, and have SCCM push it down. I think the closest you're going to get to having the defs installed from SCCM after the client install is to add a scripted action that initiates a SU scan cycle. I know of one way to do this through WMIC, but there are probably others. Check the following thread:
Also, make sure that your FEP definitions package is advertised to all machines - not just ones that already have FEP installed - so it shows up in the list of approved/available updates and will be immediately available once FEP is installed.
Thanks for the response. I was able to add in a scan and deployment action into my powershell script after the install is done. I guess the only question remaining would be whether I need to do both a scan and deployment, or just the scan. I already have these updates advertised via a Update Deployment to all of the machines we are testing on.
Hopefully this is corrected in FEP 2012.
If you have a deadline set for the FEP def package deployment (essentially making it a mandatory advertisement) then just a a scan should be sufficient. However, due to the sometimes quirky nature of SCCM timings, it might be a good idea to initiate a deployment action as well
I'm not sure if this specific behavior will change in SCCM 2012 as it seems that it would require the FEP defs to be separated from the SU deployment process entirely. All I know is that if you click the update button in FEP and you have SCCM selected as the primary update source and to not fallback to the others, it should download the update from SCCM! :-) This is one of the things that really confused me when I first started using FEP. I opened a thread about it and eventually figured out what was happening on my own. Here it is if you're interested in reading it:
- 已编辑 KevinMJohnston 2012年5月11日 21:19
Hi Allan and Kevin,
Here is a blog about initial definition update after FEP client install via Configuration Manager instead of from the live MU.
TechNet Community Support