How to Install Update Rollup 1 for Forefront Endpoint Protection 2010

Author by Concurrency Blog

Part 1: Download Installation Files This blog post will assume that you have installed all Forefront Endpoint Protection roles (Server, GUI, and Reporting) onto one ConfigMgr 2007 Central Site Server for the sake of simplicity.  If you need further assistance, refer to the following link for additional guidance:  http://technet.microsoft.com/en-us/library/hh211538.aspx.  In order to accomplish the task of installing Forefront Endpoint Protection 2010’s Update Rollup 1, the following two downloads will be required. Update Rollup 1 Prerequisite patch (KB2554364) Update Rollup 1 (KB2551095) Also, there are several handy tools that can be downloaded in order to help streamline your FEP deployment.  The tools can be found at the following here and are explained in more detail in the below table. fep2010grouppolicytools-en-us.exe The FEP Group Policy tool is used to import settings from FEP policy XML files into a Group Policy Object (GPO) in an Active Directory domain, or into the Local Group Policy object on a Windows computer. The tool can also be used to export FEP settings from a GPO into a FEP policy XML file. The FEP ADMX template is used in conjunction with Group Policy Editor in order to manage FEP antimalware settings with Group Policy. fepbpasetup64bits.msi FEP 2010 Best Practices AnalyzerThe Microsoft Forefront Endpoint Protection 2010 Best Practices Analyzer (BPA) tool scans the System Center Configuration Manager 2007 and Forefront Endpoint Protection (FEP) configuration settings to identify problematic or missing settings that may prevent optimized use of FEP. The tool is based on the Microsoft Baseline Configuration Analyzer (MBCA) 2.0. fepserverrolepoliciesforusewithconfigmgrui.exe These files are FEP policy XML files, each of which has preconfigured optimized settings for particular server roles such as Microsoft SQL Server, Microsoft Exchange, and Active Directory. The settings enable exclusions and change other FEP antimalware settings to minimize the impact of FEP on the designated server workload.The policy files for use with Configuration Manager are designed to be used only in conjunction with the FEP management node in the Configuration Manager console.Do not use the FEP Server Role Policies with the FEP Group Policy tool. If you do, Group Policy merging might result in the intended configuration not being applied. For information about installing and using the FEP Server Role Policies, see FEP Policy Templates in the FEP 2010 TechNet Library. fepserverrolepoliciesforusewithgpo.exe These files are FEP policy XML files, each of which has preconfigured optimized settings for particular server roles such as Microsoft SQL Server, Microsoft Exchange, and Active Directory. These settings enable exclusions and change other FEP antimalware settings to minimize the impact of FEP on the designated server workload. The policy files for use with Group Policy are designed to be used only in conjunction with the FEP Group Policy tool, and are specifically designed so that Group Policy merging results in the correct Resultant Set of Policy. Each file contains only optimized settings for a particular server; the default settings applicable for all Windows servers are provided in a separate file. These files should not be used with FEP management node in the Configuration Manager console. The policy files do not contain all the settings required by the FEP policy management interface, and might result in error messages when the UI attempts to parse the files. fepsuasetup.cab Definition Update Automation Tool for Forefront Endpoint Protection 2010This tool enables you to automate downloading and publication of FEP definition updates using the Configuration Manager 2007 Software Update feature.This is a command line tool that uses the Configuration Manager API to download new definitions from Microsoft Update, distribute them to the software update point, and publish the definitions to the endpoints.  To automate the tool, you must add a Windows task to run it automatically at a scheduled interval. Part 2: Install the Reporting Prerequisite Patch To start the install process, you must first install prerequisite update KB2554364for FEP Reporting.
  1. On your SCCM Central Site Server, launch either FEP2010-Update-KB2554364-x64-ENU.EXE (if you are on a 64-bit system) or FEP2010-Update-KB2554364-x86-ENU.EXE (if you are using a 32-bit system).
  2. On the first page of the wizard, simply click Next.
  3. Accept the software license terms by checking the checkbox, then click Next.
  4. On the Setup Summary page, click Install.
  5. The install should not take very long to complete.
  6. When the installation completes successfully, click Next.
  7. On the Installation Complete page of the wizard, click Finish.
Part 3: Install Update Rollup 1 The next task is to install the update rollup itself by following these steps.
  1. Run FEP2010-Update-Rollup-KB2551095-x86-ENU.exe (for 32-bit machines) or FEP2010-Update-Rollup-KB2551095-x64-ENU.exe (for 64-bit machines).  This is the actual Update Rollup itself.  This executable will launch and ask you where you want to put the extracted files.  Choose a location, then press OK.
  2. Once extracted, the folder structure should include the folders FepExt, FepReport, and FepUx.
  3. Browse to the FepExt folder and launch Setup.exe.
  4. When the Update Rollup 1 for Microsoft Forefront Endpoint Protection 2010 Server (KB2551095) launches, click Next.
  5. On the next page of the wizard, check the box to accept the software license terms, and then click Next.
  6. On the Setup Summary page, click Install.
  7. Wait for the installer to finish all its tasks.
  8. When the install completes, click Next and finish the wizard.
  9. Navigate to the next of the three folders, FepReport, and execute Setup.exe.
  10. When the wizard launches for the Update Rollup 1 for Microsoft Forefront Endpoint Protection 2010 Reporting (KB2551095), click Next.
  11. On the Software License Terms page, accept the terms, and then click Next.
  12. On the Setup Summary page of the wizard, click Install.
  13. Wait for the FEP Reporting update to complete.
  14. When the installation completes, click Next.
  15. On the Installation Complete page, click Finish to exit the wizard.
  16. Navigate to the third folder in the Update Rollup, FepUx, and launch Setup.exe.
  17. Once the Update Rollup 1 for Microsoft Forefront Endpoint Protection 2010 Console (KB2551095) launches, click Next.
  18. On the Software License Terms page of the wizard, check the box to accept the license terms, then click Next.
  19. On the Setup Summary page, click Install.
  20. Wait as the last of the three parts of the Update Rollup 1 completes.
  21. Once the installation completes successfully, click Next.
  22. Finally, click Finish to exit the wizard, concluding the actual install of Update Rollup 1.
Part 4: Automating Definition Update Deployments ConfigMgr 2007 has the out of the box capability of deploying Software Updates to the ConfigMgr clients.  Normally, all updates have to be approved by an Administrator and rolled out.  In the case of Forefront Endpoint Protection 2010 definition updates, Microsoft released a tool that assists Administrators in automating the definition update deployments.  The following steps will walk through how to set up ConfigMgr to automatically deploy definition updates for FEP 2010.  It is assumed you have already set up and properly configured Software Updates in ConfigMgr and are simply extending that functionality to deploying definition updates for FEP 2010.
  1. Create a folder for the FEP 2010 Definitions.  This location needs to be accessible through a UNC path.  An example UNC path might be servernamesourceSUPFEP2010.
  2. Open the ConfigMgr console and navigate to Computer Management > Software Updates > Update Repository > Definition Updates > Microsoft > Forefront Endpoint Protection 2010.
  3. Highlight the most recent Forefront Endpoint Protection definition update (hint: it should be the only definition still in green, as the older ones are gray) and highlight that definition update.
  4. Right-click the latest FEP definition update and choose Download Software Updates from the pop up menu.
  5. In the first step of the wizard (Deployment Package Page), you will need to create a new Deployment Package for FEP 2010 Definition Updates.  Specify a name, a description (optional), and the patch to the UNC patch you created in step one above.  Click Next.
  6. On the Distribution Points page of the wizard, browse to and select your Distribution Point(s), then click Next.
  7. On the Data Access page of the wizard, simply click Next.
  8. On the Distribution Settings page of the wizard, choose the settings that make sense for your environment, then click Next.
  9. On the Download Location page of the wizard, choose to download from the Internet, and then click Next.
  10. On the Language Selection page of the wizard, choose the languages that apply to your environment, and then click Next.
  11. On the Summary page, double check your selections, and then click Next.
  12. Wait for the wizard to apply your settings.
  13. On the Confirmation page of the wizard, click Close.
  14. Now that you have a Deployment Package, you will want to Deploy the FEP Definition Update so that a collection has the definition updates assigned to it.  Right-click the same update you downloaded earlier and this time choose Deploy Software Updates.
  15. When the Deploy Software Updates Wizard appears, type a name which will be used as the Deployment Management name.  Think of the Deployment Management as a Software Update Advertisement.  Optionally, type a description, and then click Next.
  16. On the Deployment Template page of the wizard, choose the option Create a new deployment definition.  Click Next.
  17. Choose a Collection to target with the FEP Definition Updates.  In this case we are using the All Systems collection that is built into ConfigMgr.  Click Next.
  18. On the Display/Time Settings page of the wizard, select the radio button for Suppress display notifications on clients.  The rest of the settings you may set however you like on this page.  Click Next.
  19. Choose to suppress the restart for Servers and Workstations by checking the two checkboxes, then click Next.
  20. On the Event Generation page of the wizard, click Next.
  21. On the Download Settings page of the wizard, pick the settings that are appropriate for your environment, and then click Next.
  22. If you want to save the template, check the box to Save deployment properties as a template.  You would then give the template a name, and then click Next.
  23. On the Schedule page of the wizard choose As soon as possible and set a deadline that is about 5 minutes in the future from when you set this all up.  You will want the deadline to be immediate so that from here on all your Definition Updates are deployed upon approval.  The last two checkboxes are dependent on your company policies.  Click Next.
  24. On the Summary page of the wizard click Next.
  25. When the wizard completes, click Close.
  26. At the beginning of this article there was mention of the FEP Tools.  I won’t go into detail about all of them, but there is one in particular I want to mention, the SoftwareUpdateAutomation.exe.  This EXE is extracted from the FEPSUASETUP.CAB file that you downloaded earlier.
  27. Extract SoftwareUpdateAutomation.exe from FEPSUASETUP.CAB and copy it to the proper folder. 32-Bit Servers use  %ProgramFiles%Microsoft Configuration ManagerAdminUIbin while 64-Bit Servers use %ProgramFiles(x86)%Microsoft Configuration ManagerAdminUIbin.  The below screen shot is from a 32-Bit Server Server
  28. In the ConfigMgr console, navigate to System Center Configuration Manager > Site Database > Site Management > Your Site Code > Site Settings > Status Filter Rules.  Right-click Status Filter Rules and select New Status Filter Rule.
  29. The purpose of this Status Filter Rule will be to execute the deployment of the latest FEP Definition Update immediately after your SCCM infrastructure does a Software Update Catalog Synchronization.  If this sync occurs once a day, then the Definition Update Deployment will be updated once a day.  On the General Page of the New Status Filter Rule Wizard provide a name for the rule, such as Auto Approve FEP Definitions.  Check the box next to Source and use the drop down to select ConfigMgr Server.  Check the box next to Component and use the drop down to select SMS_WSUS_SYNC_MANAGER.  Check the box next to Message ID and type 6702.  Message ID 6702 is the number ConfigMgr uses when a successful sync of its WSUS catalog occurs.  Finally, click Next.
  30. On the Actions page of the wizard check Run a program.  In the open box use a command similar to the following "C:Program FilesMicrosoft Configuration ManagerAdminUIbinSoftwareUpdateAutomation.exe" /AssignmentName "FEP 2010" /PackageName "FEP 2010" /RefreshDP "True" /UpdateFilter "ArticleID='2461484' AND IsSuperseded=0 AND IsEnabled=1 AND IsExpired=0"  (Note #1:  Text in RED are custom values that depend on your environment.  The rest of the command line should stay the same.  Note #2:  The above example is a 32-bit server.  If you are on a 64-bit server, the path would be changed to Program Files (x86).  Note #3:  After your /AssignmentName you will want to use the proper Deployment Management name.  For example, if your FEP Deployment Management is named simily “FEP” your command line would use /AssignmentName “FEP” instead of the above “FEP 2010”  Note #4:  After your /PackageName you will want to use the name of your FEP Deployment Package.  For example, if your Deployment Package has the name “FEP” you would use /PackageName “FEP” instead of “FEP 2010” in the above example.  Note #5:  To confirm the successful completion of the sync, use the log file at %ProgramData%SoftwareUpdateAutomation.log for Server 2008 or 2008 R2 and C:Documents and SettingsAll UsersApplication DataSoftwareUpdateAutomation.log for Server 2003.  When finished, click Next.
  31. In the ConfigMgr console browse to Computer Management > Policies and choose properties on one of the Policies that you have created for your desktops.
  32. In this example we are looking at the Default Desktop Policy Properties.  Go to the Updates tab and check the Use Configuration Manager as the primary source for definition updates option to ensure that clients check Configuration Manager first for their updates!
There are other tools for FEP, mentioned above in this blog, but the above information should give you a good start to setting up the Update Rollup 1.  Comments are always appreciated.  Thank you for reading!
Author

Concurrency Blog

The latest about Concurrency