locked
FCS client not running automatically once downloaded from WSUS RRS feed

  • Question

  • Hi Team,

    We have configured client security agent to download through WSUS . but some how it shows as notification only but it is not running automatically . I have set the windows update policy as well through WSUS server that says automatic install . WSUS is configured to store the files locally. I have windows 7 and windows server 2008 as client systems.


    If i go to event viewer i can see the following details

    Source: windows updates agent
    Type information . EventID: 17

    Description Installtion ready. The following updates are downlaoded and ready for installtion
    To install the updates, an administrator should log on to this computer and windows
    will prompt with further instrauctions:
    - Client Update for Microsoft Forefront Client Security )1.0.1725.0)


    My requirement is to install the FCS client security as soon as it is donwloaded on client..should not wait for admin\users to click notifications. Anything i need to modify in windows update configuration group policy?


    I have the following settings in windows update GPO so far:
     - Configure Automatic Updates - enabled option 4 ..schedule 9.00 am
     - specify intranet Microsoft update service location - enables
     - Automatic update detection fequency - enable
     - Allow non administrators to recieve update notification
     - Allow automatic updates immediate installation
     - Turn on recommended updates via Automatic Updates - enable
    - No auto restart with logged on users for scheduled automatic updates. - enable

    any suggestion will be highly appreciated to make client security agent installtion automatically .



    Regards,
    Rohit

    Thursday, February 11, 2010 3:17 AM

Answers

  • Sounds like you have it right.. it will install at 9am unfortunately w/ WSUS you cannot force the client to download/install immediately when it detects something is newly available for that client.

    You could look into creating a package and pushing with SCCM or some other desktop management product if you have one.
    CSS Security Support Engineer (FCS/MBSA/WUA/Incident Response) Check out my blog http://blogs.technet.com/kfalde
    • Marked as answer by Rohit Goel Thursday, February 18, 2010 3:33 PM
    Thursday, February 11, 2010 9:14 PM
  • You should push the FCS client via SCCM as a traditional software deployment package. You'll need to build a program that calls clientsetup.exe with the appropriate command line switches.

    As for the definition updates, I would stay away from SCCM's Software Updates module since there's no easy way to automatically approve new updates and add them to the SU packages. Instead, you should continue to rely on a WSUS auto approval rule to handle the definition updates.

    This isn't strictly related to your question, but here's a code sample that can kick off an immediate scan and install cycle for the AU client, without waiting for the scheduled install time defined in your GPO:

    http://msdn.microsoft.com/en-us/library/aa387102%28VS.85%29.aspx

    Good luck.
    Josh
    • Marked as answer by Rohit Goel Thursday, February 18, 2010 3:33 PM
    Thursday, February 18, 2010 4:51 AM

All replies

  • Sounds like you have it right.. it will install at 9am unfortunately w/ WSUS you cannot force the client to download/install immediately when it detects something is newly available for that client.

    You could look into creating a package and pushing with SCCM or some other desktop management product if you have one.
    CSS Security Support Engineer (FCS/MBSA/WUA/Incident Response) Check out my blog http://blogs.technet.com/kfalde
    • Marked as answer by Rohit Goel Thursday, February 18, 2010 3:33 PM
    Thursday, February 11, 2010 9:14 PM
  • Thanks for the reply. So this client agent must be a software deployment package? or it should be a part of patch management package?
    I believe it has to be a software package (program) and pushed as an advertisment on set of computer\collection (in SCCM). Thanks in advance.


    Regards,
    Rohit

    Wednesday, February 17, 2010 12:00 AM
  • You should push the FCS client via SCCM as a traditional software deployment package. You'll need to build a program that calls clientsetup.exe with the appropriate command line switches.

    As for the definition updates, I would stay away from SCCM's Software Updates module since there's no easy way to automatically approve new updates and add them to the SU packages. Instead, you should continue to rely on a WSUS auto approval rule to handle the definition updates.

    This isn't strictly related to your question, but here's a code sample that can kick off an immediate scan and install cycle for the AU client, without waiting for the scheduled install time defined in your GPO:

    http://msdn.microsoft.com/en-us/library/aa387102%28VS.85%29.aspx

    Good luck.
    Josh
    • Marked as answer by Rohit Goel Thursday, February 18, 2010 3:33 PM
    Thursday, February 18, 2010 4:51 AM
  • To force the FCS client onto the systems I setup a deadline for 3am, which installs the client immediately.  Also in the Automatic approvals, I set an auto approval with an auto deadline of 3am.  Everytime a new version of the client is downloaded, our workstations get the update asap.

    hope this helps.

    Thursday, April 22, 2010 7:14 PM
  • Well put Josh, you da man :)

     

    Saturday, April 24, 2010 2:45 AM