A Pretty Good Forefront Definition Deployment Solution - Part 2

Hello again --

As mentioned in Part 1, this is a new solution for the deployment of ForeFront Definition Updates via ConfigMgr.

Some of the advantages of this new solution over WSUS or previous ConfigMgr/SMS 2003 are -
* Utilizes ConfigMgr Distribution Points and does not require additional WSUS and SUP Points.
* Does a delta copy from the distribution point to the ConfigMgr client. Usually this will be 2mb or less.
* Intelligently determines if the DP being run from is BITS enabled or SMB only. Uses BITS to transfer if available.
* Leverages the advanced reporting capabilities of ConfigMgr to report on deployment status. There are multiple success messages like ‘Initiated download via BITS’, ‘Copied via SMB and updated’, and ‘Already up to date’.

Part 1 focused on the background of the problem and an overview of the available solutions. Part 2 will be a step-by-step in depth walk through on how to set this up in your environment.

Please note that this solution requires Microsoft System Center Configuration Manager but is not supported by Microsoft what-so-ever.

I also want to note that this solution is based in concept and improves upon the SMS 2003 solution created by Yaniv and posted http://blogs.microsoft.co.il/blogs/yanivf/archive/2008/02/24/updating-forefront-client-security-definitions-using-sms2003.aspx.

The DefinitionUpdate.vbs in particular was modified, but is largely Yaniv’s work.

Setting up the Solution

1. Extract the FCSDEF zip to a packages folder on your site server. Your folder structure should look something like \FCSDEF\Definitions with two sub folders… x86 and x64. In the FCSDEF Folder is a definitionsdownload.vbs.

2. You may schedule the definitionsdownload.vbs with task scheduler and there is an example on Yaniv’s site on how to do this, or set it up to run as an advertisement via ConfigMgr. To set it up to run via ConfigMgr create a package called “ForeFront x86 Definitions” on your ConfigMgr Site Server. It should be modified from the defaults like so:
a. Set the datasource to be the FCSDEF\Definitions\x86 folder.
b. Make sure to enable ‘binary differential replication’.
c. Set the Distribution Points to Update on a schedule. The schedule should be every 12 hours starting at 11:00PM.
d. On the Reporting Tab – set the mif file name to: “FOREFRONTDEFS”. This will enable enhanced reporting capabilities that we’ll review later.
e. Leave the other settings as default and click ok.

3. Next we need to create 2 programs for our package – A Syncronization program and a Client Definition Update program.
a. Create a new program and title it “Syncronize Definition Updates with Microsoft”. Set the command line to be definitiondownload.vbs, and the ‘start in’ the path to your FCSDEF folder containing the .vbs. On the Environment Tab set it to run ‘Whether or not a user is logged on’. On the Advanced Tab suppress program notifications. Click Ok. This program will be used to schedule the definition update synchronization from Microsoft.
b. Create another program and title it ‘Update x86 Definitions’. Set the command line to fcs-def2.exe and the run to hidden. Set the maximum allowed run time to 15 minutes and the environment to ‘whether or not a user is logged on’. On the Advanced Tab suppress program notifications and Click Ok.

4. Now that you x86 Definition package is created you may follow the same steps for the x64 package with the following modifications.
a. You won’t need to repeat step 3-A.
b. You will need to copy the files in the x86 folder to the x64 folder.

5. Create an advertisement for the ‘Syncronize Definition Updates with Microsoft’ program.
a. Create a collection containing your site server.
b. Target the advertisement to this collection.
c. Schedule your advertisement to run re-occuring every 12 hours, and 15 minutes before the time set in step 2-C.
d. Set the program re-run behavior to always re-run.
e. Set the advertisement to always run from distribution point.

6. Create a collection for systems with Forefront installed. Here’s the WQL for the collection: select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_ADD_REMOVE_PROGRAMS on SMS_G_System_ADD_REMOVE_PROGRAMS.ResourceId = SMS_R_System.ResourceId where SMS_G_System_ADD_REMOVE_PROGRAMS.DisplayName like "Microsoft Forefront Client Security%"

7. Create sub-collections for x86 and x64 systems and limit them to the collection created in step 6.

X86 example: select SMS_R_System.ResourceId, SMS_R_System.ResourceType, SMS_R_System.Name, SMS_R_System.SMSUniqueIdentifier, SMS_R_System.ResourceDomainORWorkgroup, SMS_R_System.Client from SMS_R_System inner join SMS_G_System_COMPUTER_SYSTEM on SMS_G_System_COMPUTER_SYSTEM.ResourceID = SMS_R_System.ResourceId where SMS_G_System_COMPUTER_SYSTEM.SystemType = "X86-based PC"

X64 example: select SMS_R_System.ResourceId, SMS_R_System.ResourceType, SMS_R_System.Name, SMS_R_System.SMSUniqueIdentifier, SMS_R_System.ResourceDomainORWorkgroup, SMS_R_System.Client from SMS_R_System inner join SMS_G_System_COMPUTER_SYSTEM on SMS_G_System_COMPUTER_SYSTEM.ResourceID = SMS_R_System.ResourceId where SMS_G_System_COMPUTER_SYSTEM.SystemType = "x64-based PC"

8. Create an advertisement for both x86 and x64 systems. Schedule them with a mandatory re-occuring advertisement every 12 hours starting 30 minutes after the schedule for step 2-C. Make sure the advertisement is set to ‘Run from Distibution Point’ whether it is on a slow or fast boundary.

9. When the advertisement runs on a system you will notice a FCSDEFCache folder created in Windows\Temp and a new log file in the FCSDEFCache folder indicating status.
You may now use web reporting to track the status of your definition updates. Here’s what one of my custom reports looks like:

Here’s the sample report SQL that will give you more information than the default ‘Status of a specific advertisement’ report:
declare @Total int
declare @Accepted int

select @Total=count(*), @Accepted=sum(case LastState when 0 then 0 else 1 end)
from v_ClientAdvertisementStatus
where AdvertisementID=@AdvertID

select LastAcceptanceStateName as C013, count(*) as C015,
ROUND(100.0*count(*)/@Total,1) as C016,
AdvertisementID
from v_ClientAdvertisementStatus
where AdvertisementID=@AdvertID
group by LastAcceptanceStateName, AdvertisementID

select LastStateName as C017, LastExecutionResult, count(*) as C015,
ROUND(100.0*count(*)/@Accepted,1) as C016,
AdvertisementID
from v_ClientAdvertisementStatus
where AdvertisementID=@AdvertID and LastState!=0
group by LastStateName, LastExecutionResult, AdvertisementID

And that's that - enjoy