locked
Apply Forefront Client Security Update Definitions with MOM Task RRS feed

  • Question

  • Hello guys,

    I'm putting this question here because I have researched and found the answer to the problem. Even the source of where I followed the procedure there is the same problem in the end, however, unanswered by the blogger.
    The issue is related to the procedure described in this URL:
    http://blogs.microsoft.co.il/blogs/yanivf/archive/2008/06/09/forefront-client-security-remote-definitions-update-using-mom-tasks.aspx

    I already have the Forefront managing my clients running Client Forefront Client Security at the FCS Console and also the MOM console communicating with the MOM Agents customers normally. All installation of MOM Agents on the clients were made by the MOM Console without any problem, with the exception of some stations that have the Windows Firewall enabled, but it was solved by disabling it.
    The main question on my part is the same posted by kass on June 17, 2009 at the URL above. I followed the steps correctly, but when you apply the update the error occurs: Microsoft Operations Manager was unable to create a process to run a batch response.

    I changed the data in the "Enter the application name" of mpam-fe.exe to the full UNC path where is located the files and settings Forefront put as parameter-q (quiet) in "Task command line" test, I removed the parameter and yet the process is not executed. In case of changes, mesanger error is another saying that I do not have access to the site (access denied) even though the permissions assigned correctly to the required groups to have access to this share at the time of installation.

    Therefore, someone has already implemented this solution parallel update for Forefront MOM with a task and succeeded in deploy?

    Note: I apologize if the area is not correct, but as I didn´t find another specific area for MOM 2005 and the problem is related to a feature of Forefront, I decided to put here.


    Anderson Thiago (Fórum do BABOO)
    Tuesday, January 5, 2010 2:41 PM

Answers

  • Hi,

     

    Thank you for the post.

     

    When you deployed did you choose to run the MOM Agent as LocalSystem and have it fully managed?

    Also, doing this will expose the MOM/WMI timing issue, you needs refer to the following article to set the dependency.
    http://technet.microsoft.com/en-us/library/bb643197.aspx#MOMScripts

     

    I do not have access to the site (access denied) even though the permissions assigned correctly to the required groups to have access to this share at the time of installation.

    What groups are we talking about here?  The script will execute in the context of the MOM Action account on the agent computers, which runs as LocalSystem. That means that the permission on the share need to be allowed to either Everyone or groups of computers not users.

     

    Regards,


    Nick Gu - MSFT
    Wednesday, January 13, 2010 6:29 AM
    Moderator

All replies

  • Hi,

     

    Thank you for the post.

     

    When you deployed did you choose to run the MOM Agent as LocalSystem and have it fully managed?

    Also, doing this will expose the MOM/WMI timing issue, you needs refer to the following article to set the dependency.
    http://technet.microsoft.com/en-us/library/bb643197.aspx#MOMScripts

     

    I do not have access to the site (access denied) even though the permissions assigned correctly to the required groups to have access to this share at the time of installation.

    What groups are we talking about here?  The script will execute in the context of the MOM Action account on the agent computers, which runs as LocalSystem. That means that the permission on the share need to be allowed to either Everyone or groups of computers not users.

     

    Regards,


    Nick Gu - MSFT
    Wednesday, January 13, 2010 6:29 AM
    Moderator
  • First, I would like to thank Nick Gu - MSFT!
    Thank you for answering my question.

    Well, I'll give more details of how is my lab environment.
    In our AD, we created a specific user account to be used by Forefront, MOM, IIS and SQL (required for deployment).
    This user account and Domain Admins group were entered in groups of SQL and MOM created.
    All the MOM Agent installation made from the MOM Console was performed by the service account and is running on each client as a local account.
    When I mentioned group, I was referring to the Domain Admins group and also the specific service account has full control and access to the directory where the file to update the Forefront.
    Now, does the problem is that the permissions that were given to a user group and a service account?
    Speaking about the MOM Actions account (local account), and if I change the installer from the MOM Agent user account to be installed and executed on the client by the service account domain?I'll check the link that gave me and do the tests ...
    Again, thank you for answering my question!

    HugZ!


    Anderson Thiago (Fórum do BABOO)
    Wednesday, January 13, 2010 9:18 PM