Guidance on serve initial FEP definition update with SCCM through DP


Another hot request from Customers about FEP is to allow the initial definition update after FEP client install is served up via Configuration Manager instead of from the live MU.

To achieve this, first you should follow the article here to keep your SCCM site with the latest FEP definition update deployed. The next step is to ensure after FEP installation, the client will not try to get def update from live MU, but from the SUM and we need trigger some action to let the client do a update scan and update re-evaluation to pick up the definition update and install it. There’re several things we need to consider:

1.      Find a way to disable the FEP fallback to WSUS and live MU after FEP client installation.

By default, right after FEP client is installed; it will try to get the latest definition update through live MU. In order to hold this process, we need to apply a FEP policy (which disable the Fall Back to WSUS and live MU) to the client right after installation success.

We can use the following FEP policy:

  • Check “Use Configuration manager as the primary source for definition updates”
  • Uncheck “Updates distributed from WSUS”
  • Uncheck “Updates from Microsoft Updates”

Option “Updates from UNC file shares” has to be checked. Because the UI doesn’t allow the fall back options to be empty;

How to create a file share for FEP definition is described here: http://technet.microsoft.com/en-us/library/gg398041.aspx. These null files are also beneficial in case deployment through the Update deployment fails for some reason.

Since the FEP deployment program will not apply policy after installation complete automatically, so the client need to explicitly run the apply FEP policy program afterwards.

When assign FEP policy to clients, no matter what policy you assign with the specific program, it will always choose from all the FEP policies that are assigned to it and apply the one with the highest precedence. So you need to careful about the policies: make sure only the expected policy is assigned to the client which you plan to install the FEP client and the proper policies are assigned to the same client after it installed FEP client successfully and be added to the FEP Installed collection.

A feasible way to do this is edit the default policy to remove the fall back options and assign it to All System while assign other policies to desired collections. (This is the approach the example below uses)

2.     After the FEP Client Installation succeed and the default policy applies. Tiger the client to find and install the latest FEP definition update through SUM.

In our testing, we found the following caveats:

1)     You need wait for some time to trigger the Update scan cycle after FEP client is installed. Otherwise there might be time issue that the definition update will not show applicable. In our testing, we found 5 minutes works fine.

2)     Update evaluation will be triggered automatically when the policy is changed, or the client is moved to a new collection which has different update deployment assignment. If update evaluation is trigger in this
way, then it will trigger an update scan cycle with flag force re-scan.

3)     If you trigger update evaluation through API or by click the initial update evaluation action through the client applet, then it will trigger an update scan cycle with no force re-scan flag and may not find the def update applicable.

The below log screen shot shows the different between 2) & 3)

 

If you assign the definition update to all system, then you should write a script to call Update Scan Cycle and then an Update Evaluation Cycle to find the update and install it. (This is the approach the example below uses) 

If you assign the definition update to FEP Installed collection, then after FEP client is installed and when the machine is added to the FEP Installed collection (it may take some time), then it can have the policy triggered update evaluation and will find the update and install it.

Step by step Example on how to do this with Task Sequence:

  1. Edit the Default Policy to use the following to use Configuration manager as the primary source and not use Fall Back from WSUS and Microsoft Update as above.
  2. Go to Microsoft Corporation FEP – Deployment package, right click the program Install and open Properties dialogue. Click the Advance Tab, and check “Allow this program to be installed from the Install Software task sequence without being advertised”. Click the Environment Tab, and uncheck the “Allow users to interact with this program”. Click “Apply” and close the dialogue.
  3. Go to Microsoft Corporation FEP – Policies package, right click the program Default Desktop Policy and open Properties dialogue. Click the Advance Tab, and check “Allow this program to be installed from the Install Software task sequence without being advertised”. Click the Environment Tab, and uncheck the “Allow users to interact with this program”. Click “Apply” and close the dialogue.
  4. Create a new Package with the following two files: InitiateSoftwareUpdatesEvaluationCycle.cmd , InitiateSoftwareUpdatesEvaluationCycle.vbs and sleep.vbs. Create a Program with the following settings:

Command Line: InitiateSoftwareUpdatesEvaluationCycle.cmd

Program can run: whether or not a user is logged on.

Check “Suppress program notifications”.

Check “Allow this program to be installed from the Install Software task sequence without being advertised”.

  1. Create a custom Task Sequence with the following three “Install Software” steps:

Step 1 – Install FEP Client: Package:
Microsoft Corporation FEP – Deployment; Program: Install

Step 2 – Apply Policy: Package: Microsoft
Corporation FEP – Policies; Program: Default Desktop Policy

Step 3 – Sleep for 5 minutes: Run Command
Line: cscript.exe sleep.vbs Package as you created in step 4.

Step 4 – Initiate Update Evaluation Cycle:
Package and Program as you created in step 4.

  1. Now you can remove the original FEP Install Advertisement and assign the TS you created in step 5.

Sample script to initial Update Deployment Evaluation Cycle:

Sleep.vbs

Wscript.sleep 1000*60*5

InitiateSoftwareUpdatesEvaluationCycle.cmd:

@ECHO OFF

SET vbsfile=InitiateSoftwareUpdatesEvaluationCycle.vbs

IF /I "%PROCESSOR_ARCHITECTURE%" EQU "x86" (

  CALL %SystemRoot%\System32\cscript.exe %vbsfile%

) ELSE (

  CALL %SystemRoot%\SysWow64\cscript.exe %vbsfile%

)

EXIT /B %errorlevel%

InitiateSoftwareUpdatesEvaluationCycle.vbs:

InitiateSoftwareUpdatesEvaluationCycle

Sub InitiateSoftwareUpdatesEvaluationCycle()

    ' Set the required
variables.

actionNameToRun1 = "Updates Source Scan Cycle"   

actionNameToRun = "Software Updates Assignments Evaluation Cycle"

    ' Create a CPAppletMgr
instance.

    Dim oCPAppletMgr

    Set oCPAppletMgr = CreateObject("CPApplet.CPAppletMgr")

     ' Get the available ClientActions object.

    Dim oClientActions

    Set oClientActions = oCPAppletMgr.GetClientActions()

     ' Loop through the available client actions. Run the matching client action when it is found.

    Dim oClientAction

    For Each oClientAction In oClientActions       

       If oClientAction.Name = actionNameToRun1 Then    
            oClientAction.PerformAction 
            wscript.echo "Ran: " & oClientAction.Name 
            wscript.sleep 1000*60*3 'sleep 3 minutes after initiating the scan for updates to allow the client finish scanning. 

      End If
    Next  

For Each oClientAction In oClientActions

 If oClientAction.Name = actionNameToRun Then  
            oClientAction.PerformAction  
            wscript.echo "Ran: " & oClientAction.Name
       End If

    Next

End Sub

 

 

Comments (4)
  1. Mike says:

    Wow this was a big issue for us, because we had some router ACL's in place that would not allow them to go to MS site!  Wish I had seen this earlier.  How would you propose to handle laptops that go home, but dont check in thru VPN to stay up to date with this setup?

  2. Hi Mike,

    Are you using SCCM to manage these laptops?

    If they don't check in thru VPN, then they need to use IBCM to get the policy and install program. If so, they can still use IBCM channel to install the latest update.

  3. NoSigsUpdateAtInitialExp says:

    You can also use the NoSigsUpdateAtInitialExp switch as described here: blogs.technet.com/…/operating-system-deployment-and-endpoint-protection-client-installation.aspx

  4. anon says:

    Was this issue resolved with support.microsoft.com/…/2597508

Comments are closed.

Skip to main content