locked
Best practice for Forefront client updates? RRS feed

  • Question

  • We have been using Forefront for a while now.
    Suddenly Forefront tries to update itself to a new version. This requires Vista clients to trigger UAC and the users get confused.

    What is the setting for making forefront client not update itself? I would rather deploy new versions from Configuration Manager.
    • Edited by HAL07 Tuesday, May 12, 2009 8:14 AM
    Tuesday, May 12, 2009 8:11 AM

Answers

  • So setup your SUP in SCCM with the following views .. http://blogs.technet.com/kfalde/archive/2009/04/08/update-views-for-fcs-in-wsus.aspx you need to make sure you are not autoapproving updates to the FCS client itself in your SUP/WSUS as you will be pushing those via SCCM packages.  It basically sounds like you might have an autoapproval rule in your SUP/WSUS that is approving more then just definitions.
    CSS Security Support Engineer (FCS/MBSA/WUA/Incident Response) Check out my blog http://blogs.technet.com/kfalde
    • Marked as answer by Nick Gu - MSFT Wednesday, May 13, 2009 8:14 AM
    • Unmarked as answer by HAL07 Friday, May 15, 2009 7:15 PM
    • Marked as answer by HAL07 Thursday, May 28, 2009 9:24 AM
    Tuesday, May 12, 2009 5:20 PM

All replies

  • So setup your SUP in SCCM with the following views .. http://blogs.technet.com/kfalde/archive/2009/04/08/update-views-for-fcs-in-wsus.aspx you need to make sure you are not autoapproving updates to the FCS client itself in your SUP/WSUS as you will be pushing those via SCCM packages.  It basically sounds like you might have an autoapproval rule in your SUP/WSUS that is approving more then just definitions.
    CSS Security Support Engineer (FCS/MBSA/WUA/Incident Response) Check out my blog http://blogs.technet.com/kfalde
    • Marked as answer by Nick Gu - MSFT Wednesday, May 13, 2009 8:14 AM
    • Unmarked as answer by HAL07 Friday, May 15, 2009 7:15 PM
    • Marked as answer by HAL07 Thursday, May 28, 2009 9:24 AM
    Tuesday, May 12, 2009 5:20 PM
  • I cannot see an option for only auto-approve virus updates.
    Friday, May 15, 2009 7:15 PM
  • Hi,

     

    Thank you for your post.

     

    According to your description, I’d like to confirm the following:

    1.      How do you deploy the client security.

    2.      Do you have create a rule to approve the updates?

     

    As far as I know, After the client components are deployed, the client computers must be approved in MOM before they begin to report data. The clients are usually automatically approved within an hour. If you want them to begin reporting data sooner, you can approve them manually. For detailed steps, please see the following:

     

    1.    On the Client Security management server, click Start, click All Programs, click Microsoft Operations Manager, and then click Administrator Console.

    2.   In the MOM 2005 Administrator Console, under Console Root, expand Administration, expand Computers, and then click Pending Action.

    3.    Right-click the client computer (MCPClient) in the Pending Action list, and then click Approve Manual Agent Installation Now. If you do not see the client in the Pending Action list, wait a few minutes, and then click Refresh on the Action menu.

    4.    In the Microsoft Operations Manager dialog box, click Yes to confirm approval. The client computer will disappear from the Pending Action list

     

    Meanwhile, to get better understand about deploying Client Security, you may read the article from the link as below.

    http://technet.microsoft.com/en-us/library/bb404255.aspx

     

    Regards,

    • Proposed as answer by Nick Gu - MSFT Thursday, May 21, 2009 1:53 AM
    • Marked as answer by Nick Gu - MSFT Friday, May 22, 2009 3:35 AM
    • Unmarked as answer by HAL07 Thursday, May 28, 2009 9:22 AM
    Tuesday, May 19, 2009 5:30 AM