locked
Deploying Forefront Client Security Definitions with SCCM-WSUS RRS feed

  • Question

  • Hello-

    Current Setup:

    I have FCS installed on my SCCM Clients.
    My SCCM Server is also the WSUS Server.  Forefront Server is on another Server.
    I have my computers in a FCS security group that also has a Forefront Policy deployed to it (GPO).
    The GPO for those PCs are not configured (being that they're SCCM Clients).  So the SCCM Local Policy will be applied.
    My WSUS Server has an Auto-Approval rule in place. 

    I basicall foloowed these steps:
    http://technet.microsoft.com/en-us/library/dd185652.aspx

    My WSUS Server also has Forefront Client Security as a Product, with Definitions as the Classification. Allows for immediate installation of definitions.
    My Forefont Policy is configured to not check for updates (so WSUS does it all in the background).

    The Problem:

    My FCS Clients do not download signatures from WSUS.  My FCS Policy does NOT do the check\download for updates on a schedule.
    Do I need to configure anything for the GPO?

    Anyone know of the best way to send (via BITS) Forefront Signature Updates to my Forefront SCCM Clients?

    Thanks!

    Wednesday, June 9, 2010 5:17 PM

Answers

  • You probably need a WSUS policy setting applied to them to install updates at a certain time.  Unfortunately this also means that if anything else was approved on your SUP they would pull it and install it as well however unless you have that in there the WUA client in and of itself will not install these.  The allow immediate installation does not affect the signatures and when they install.... as you already mentioned the FCS WUA api call is a foreground mode call unfortunately.  This has already been previously noted and I believe will be changed in the next product but I don't believe there are any plans for changing the v1 product for this behaviour.


    CSS Security Support Engineer (FCS/MBSA/WUA/Incident Response) Check out my blog http://blogs.technet.com/kfalde
    Wednesday, June 9, 2010 6:39 PM

All replies

  • Hi,

    This problem is related only to FCS updates ? you can deploy other updates (XP, W7, ...) via ConfigMgr ?


    Bechir Gharbi. MCSA, MCSE M+S, MCITP Server/Enterprise Administrator, MCT, MCTS Configuration Manager/Forefront (Time Zone : GMT+1)
    Wednesday, June 9, 2010 5:29 PM
  • Yep.  All other updates are fine.  They deploy and install with no issues.

    This only happens with Forefront Updates.

    They dont get them from WSUS.  But if I edit the FCS Policy to check for and download updates on a scghedule, they get them.  That's foreground though.

    Doesnlt look like it works from WSUS.

     

    Wednesday, June 9, 2010 5:42 PM
  • You probably need a WSUS policy setting applied to them to install updates at a certain time.  Unfortunately this also means that if anything else was approved on your SUP they would pull it and install it as well however unless you have that in there the WUA client in and of itself will not install these.  The allow immediate installation does not affect the signatures and when they install.... as you already mentioned the FCS WUA api call is a foreground mode call unfortunately.  This has already been previously noted and I believe will be changed in the next product but I don't believe there are any plans for changing the v1 product for this behaviour.


    CSS Security Support Engineer (FCS/MBSA/WUA/Incident Response) Check out my blog http://blogs.technet.com/kfalde
    Wednesday, June 9, 2010 6:39 PM
  • But if I apply a WSUS Policy, software updates from my SUP will fail with an error code of 11756-indicating a policy conflict. of some sort.  The GP will override the local policy applied by SCCM.

    The "Allow immediate installation" is also rendered useless if I don't configure AU.  And if I configure AU, SCCM updates fail.

    Catch 22 huh.

    Wednesday, June 9, 2010 7:13 PM