FEP 2010 Definition Updates integration with SCCM and WSUS RRS feed

  • Question

  • Hello,

    I am currently evaluating and testing FEP 2010 with the SCCM 2007 SP/R2 integration and have deployed FEP2010 to my existing SCCM environment.

    I have deployed SCCM Software Updates Point (SUP) role with WSUS integration for deployment
    of Microsoft Software Updates to my servers and clients (Windows 7 and Windows 2008 R2).

    My SCCM SUP is configured to synchronize Definition Updates and the definition updates for FEP 2010, which is working perfectly.

    Since there is no “Automatically approve new revisions of approved updates and Automatically decline updates when a new revision causes them to expire” functionality with the WSUS & SCCM integration, I am wondering how this can be achieved with FEP 2010 when using SCCM?

    I have read one post from “Jason Jones” in this forum regarding this topic:
    FEP clients get definitions directly from WSUS; this occurs automatically by configuring WSUS to automatically approve FEP definitons, going against normal "don't mess with the WSUS console" approach when using SCCM


    Does that mean that FEP is not utilizing and re-using the SCCM SUP Site Role and the SCCM DP infrastructure for Definition Updates other than maintaining this manually?

    For my company, we would like to have our clients to install software updates from the nearest SCCM local distribution point at our Branch Offices. Each branch office has it is own SCCM Secondary Sites with protected DP.  Reason for this is to simply limit the amount of downloads across the WAN J

    My FEP policies are configured to only download Definition Updates from “Configuration Manager or WSUS”. When I press the “Updates” button in the FEP2010 client and review the WindowsUpdate.log, I can see that FEP is checking against my WSUS server, but since SCCM controls my WSUS, it is natural that no updates are available or approved, which they are in SCCM, since my Software Updates are managed in SCCM.

    If above is true, I see this as an great disadvantage, as FEP is not utilizing existing Software Updates infrastructure in SCCM and the possibilities that lays here. The FEP2010 client should have utilized the existing SUP functionality in Configuration Manager Client regards to localizing where the new FEP Definition Updates are located in the SCCM Hierarchy. For branch offices with low bandwidth available with many users, this has an impact of the WAN, as the definition updates are downloaded multiple times, instead of 1time if we had utilized the SCCM infrastructure locally. Also this gains double administration, as you must administer your WSUS infrastructure both in SCCM Console and in the WSUS console.

    If above is false, is there any one whom can guide me to the right direction on how this can be achieved?

    In-advance, thanks for any kind of assistance.

    Best Regards
    Anders Horgen


    Best Regards Anders Horgen
    Tuesday, January 4, 2011 6:14 PM


All replies

  • I totaly agree with you. According to the technet library ( you still need a WSUS auto approval rule. Maybe this could be right way for your (and my needs):


    • Proposed as answer by --Marc-- Tuesday, January 4, 2011 9:18 PM
    • Unproposed as answer by Anders Horgen Wednesday, January 5, 2011 9:28 AM
    Tuesday, January 4, 2011 9:17 PM
  • Hello Marc,

    Thanks for your kind reply and references.
    I read the article posted by “
    Kim Oppalfens”,
    this was interesting reading.

    This workaround only address the distribution of FEP2010 Definition Updates and Auto Approval in SCCM,
    where distribution of Definition Updates is only done via Config Manager client (Software Updates Deployment agent) and not via the FEP2010 client.

    However, this does not address that the FEP2010 client is not Config Manager aware. When pressing the “Update” button the FEP client communicates only with WSUS when “
    Configuration Manager or WSUS” policy is enabled. This result in that FEP client will try to download the patch directly from WSUS without communicating with the SCCM Management Point and SCCM SUP role.

    My opinion is that, when using the Configuration Manager or WSUS” FEP policy, the FEP client should have been configured to be SCCM Configuration Manger aware and not communicating directly to WSUS or Microsoft should evaluate to create a new Policy option that is related to “Configuration Manager” only to achieve this. By splitting the FEP Policy option in two options “Configuration Manager” and “WSUS” can be a beneficial, as there might be customers that want to only utilize their standalone WSUS infrastructure.

    The question to ask is the importance and how valuable it is of allowing the users and administrators to utilize the “Update” button in operation and in troubleshooting scenario if above workaround will be supported.

    I think it is important that the “Update” button is SCCM aware from SCCM environment prospectiveJ

    From a customer point of view, I think it is important that Microsoft address this issue in order rather than expecting that the customer shall develop this with SCCM SDK kit, which they can’t provide you support on.J
    Until this is resolved and addressed, this product might not be used in our company because of the amount of branch offices with limited bandwidth available reserved for our business critical applications.

    Best Regards
    Anders Horgen

    Best Regards Anders Horgen
    Wednesday, January 5, 2011 9:28 AM
  • Hi Anders,

    There is a 2nd option to allow you to update FEP clients using the SCCM infrastructure, however it does have an administration overhead.

    We have configured the FEP updates in the normal way though the SCCM Software Updates node.

    This basically pushes out the updates when machines check in for normal updates and gets around the requirement to auto-approve updates (which is always slightly scary).

    It allows us to utilise the SCCM Software Update point and BDP infrastructure to deploy and manage updates so significantly reducing bandwidth.

    The major downside to this is the admin overhead as you have to manually update the Update List, download the package, update the deployment and update the Distribution points.

    It does only take 10 mins to run though the process daily and you only get a single daily update but you get round the need to have WSUS servers on the BDP which is massive overhead in itself.

    Plese note that we are currently using this in a test environment and the FEP clients do get updated via the SCCM cleint. I'm not sure what happens when the Updates button is pressed, but i will run some test and report back.

    Monday, January 17, 2011 12:16 PM
  • Hi "Grumpy_Monkey" :)

    How have your testing worked out?

    Yes, I am fully aware of 2nd option, but this is an high administrative overhead.
    If Microsoft shall be able to compete with other AV vendors, they must consider how "Auto Approval" is carried out,
    as this can't be done only at the WSUS level. This feature must also exist with SCCM Site System SUP as well.

    I have been in dialog with Microsoft Premier Support, and this has lead into Design Change Request (DCR)
    with following goals:

    - “Take advantage of the SCCM 2007 content distribution and SUP framework.” 
    - “Auto Approval” for FEP definition Updates within SCCM Software Update Management (SUP).
    - FEP 2010 client is SCCM MP & SUP aware when such policies are enabled (when pressing Update button inside the FEP client)

    So hopefully we will see some positive change in FEP & SCCM integration in short future.

    Best Regards
    Anders Horgen

    Best Regards Anders Horgen
    Wednesday, January 26, 2011 8:07 AM
  • Anderson I could not agree with you more.  We are moving from Symantec EP, to FEP.  The update method is crazy.  

    In fact we just installed SCCM for FEP.  We use or did use Shavlik NetCheck Pro for windows updates and it was a simple, powerful product that could push updates at the exact time you wanted them to be pushed.  Compared to the mess that is SCCM, WSUS, and FEP, I miss my Symantec and Shavlik products.

    WSUS should be for free users only.  SCCM should not need WSUS at all for any kind of updates.  SUP in SCCM should be every thing WSUS is and more.  FEP should sit on top of SCCM, and in the FEP section of SCCM, you should be able to select and option for downloading the updates and automatically approving them.....I dont even want to go into the SUP part of SCCM to deal with anything FEP related.  I get that FEP utilizes the infrastructure of SCCM, clients, deployments etc.


    So MY QUESTION is I have followed the Technet documentation and enabled Auto Approval for FEP updates in WSUS (sad), so does WSUS download the updates from MS and make them available to FEP clients or do I have to do something else in SCCM, like download the software in the SUP section to a share???

    Thanks to anyone that can answer my question!!

    Thanks, -Lindy
    Friday, January 28, 2011 6:34 AM
  • Can you share that DCR with us?


    If you can, I will do a search/replace of company name and send it in myself as well.


    I can't agree more on the changes you would like to see, FEP today looks like a almost ready product...

    Monday, January 31, 2011 7:44 AM
  • We have a Central Site and 5 Child Primaries. We have done this to accomodate federated administration. However, my FEP Clients aren't updating even though I've followed the Technet article for the auto-approvals. Each of the Primaries is an Active Software Update Point, but from what I'm reading, that doesn't matter? And the clients will still try to update from the Central Site which has the WSUS that updates directly from Microsoft?
    Thursday, February 3, 2011 8:32 AM
  • Answered my own questions. Managed to get FEP Definitions working and proved that the clients look at their Primary for the update and not the Central. :)
    Thursday, February 3, 2011 10:03 AM
  • Hello Rikard,

    I am sorry for late reply.

    We opened an ticket with Microsoft Premier Support with above detected problem scenarioes.
    This has lead into that the product team of FEB has created and initiated the Design Change Request (DCR),
    so in this case, it is not undersigned that has created the DCR that I can share with you :).

    My reccomandation to you, is that you simply register an ticket to Microsoft Premier Support
    with same problem, so that they understand that more enterprise customers requires this kind of functionality.

    Best Regards
    Anders Horgen

    Best Regards Anders Horgen
    Saturday, February 26, 2011 8:03 AM
  • Hello Lindy,

    Sorry for late reply.

    It is correct strategy from Microsoft that WSUS shall be integrated with SCCM.
    In-order to have the FEP integration with SCCM complete, the SUP rolle should be extened with "Auto Aproval" feature for
    wanted Software Updates, where the "Auto Approval" perform thet download and updates the "Software Updates Package".

    In this way, the customer can select between manual approval and auto approval according to their
    business needs. Right now, we can only perform manuall approval.

    Regards to your tehcnicall question.
    If you want to have "Auto Approval" with FEP in current release, you must follow below guide:

    This configuration is currently supported by SCCM, but you loose the controll of approved definition in the SUP part of SCCM.
    The only configuration you then must do in SCCM, is to change the FEP policy, where you configure it do download definitions from "Config Manager or WSUS".
    When this is enabled, the FEP client will download the FEP definition directly from the WSUS server and not from SCCM (ref what I written in this forum regarding this case)

    Hope that I have answered your questions.

    Best Regards
    Anders Horgen

    Best Regards Anders Horgen
    Saturday, February 26, 2011 8:18 AM
  • There is also another method to do updates that hasnt been talked about in this thread and that is the UNC method. That the clients download the definitions from a UNC Share.

    1 Option would be to use a DFS share to get the updates from and use this to save bandwith.

    2 Use different policies for different locations with different update sources. And provision the updates with scripts.

    I also agree with you that there are some missing functions as using automatic approval, Config Mgr 2012 has this functionality as it looks in Beta1.

    Regards Stefan Schörling Blog: Http:// UG: Http://
    Saturday, February 26, 2011 5:59 PM
  • I can confirm that the Update button does nothing if you are managing your definitions via DP.

    We will be sticking with Symantec Endpoint Protection for the forseeable future (even though that is an additonal cost) as the Group Update Providor functionality is a clear advantage over multiple WSUS servers.

    The main reason for us to deploy SCCM was to remove WSUS from our infrastructure, as the SQL requirements in the small offices is terrible.

    FEP drags that requirement back as you dont want clients pulling updates from a central WSUS server over the WAN.

    Is it being a bit simplistic of me to expect FEP to check the local DP first? It is "integrated" into SCCM i.e. you have to have SCCM to manage it so it should integrate with the SCCM client, discover the nearest DP and attempt to download updates from their first.

    Here endeth the rant! :-)

    Edit - Of course with SCCM 2012 and FEP 2012 this all may be moot as they "might" have resolved some of these issues as there is a new combined DP in 2012. (They have to have a new FEP as the old FEP integrates into the MMC bases SCCM 2007 and wont work with 2012). Might just hold off till the upgrade.
    Tuesday, April 5, 2011 9:14 AM
  • This method detailed in the video below does JUST what you need to do. Download the FEP definitions on a central server, and push out that SCCM package on a schedule to all your DP's. Then create a re-curring advertisement that applies the definition updates by pulling the package against the local DP.


    I update my FEP clients 3 times a day using a re-curing advertisement and pull from local DP's. There is also a nightly 4AM check against the WSUS server, but if the clients have been receiving the updates via the re-curing advertisement, no data will be transferred across the WAN during the 4AM WSUS check.


    Why this wasn't built into the FEP infrastructure like it should of been, we'll never know :).



    • Proposed as answer by -Allen- Monday, July 11, 2011 11:55 PM
    • Unproposed as answer by -Allen- Monday, July 11, 2011 11:55 PM
    Monday, May 9, 2011 10:59 PM
  • hi, FEP 2010 Rollup 1 now includes the functionality why you need.

    Now we just need to see how it works! Hehe.

    Thursday, July 14, 2011 10:35 PM
  • Hello,

    Yes, I have not yet have had time to post that the DCR was fully accepted by Microsoft.
    Here it is: FEP 2010 Rollup 1, which resolves all above stuff I wrote in the first place.

    I have not yet had the chance to test all of it yet.



    Best Regards Anders Horgen
    • Edited by Anders Horgen Thursday, August 11, 2011 1:26 PM Forgot to add text
    • Marked as answer by Anders Horgen Thursday, August 11, 2011 1:26 PM
    Thursday, August 11, 2011 1:26 PM
  • Hi Ander!,

    So what the conclusion, to use the "Update Definition " Button we need to configure Either WSUS or UNC, assuming internet is not available ( as most organisation does not on servers)

    For FEP clients get definitions directly from WSUS; we have to configure WSUS to automatically approve FEP definitons, going against normal "don't mess with the WSUS console" approach when using SCCM.

    Question is Can we do it ? What are the consequences by doing this.

    Have any one tested this in production ?


    Saturday, January 7, 2012 5:53 PM
  • I have been running this in production since last September of 2011 and it works, but there is an issue or a bug I logged with PSS.  The expired updates for the FEP defs DO NOT CLEAN\EXPIRE properly in SCCM and your clients local xml store gets bloated with FEP data and will grow to large sizes.  I have 26k clients and 16k of them have WMI reposiotroes over 15gb in size, where normally they should be at 30 to 50mb tops.  This case was decremented as a bug and people need to beaware that if using SCCM and the automation tool, TO CLEAN THEIR WSUS servers on a regular basis.  Again thats something SCCM admins are told not to do, mess in WSUS, but now thats being reviewed.  Proceed with caution.
    Monday, March 19, 2012 5:39 PM