You are browsing the archive for FEP.

Errors When Using the FEP 2010 Definition Update Automation Tool from Update Rollup 1

7:07 am in ConfigMgr, ConfigMgr 2007, ConfigMgr 2007 R2, ConfigMgr SP2, ConfigMgr2007 R3, FEP, FEP2010, SCCM 2007, SCCM 2007 R2, SCCM 2007 R3, SCCM 2007 SP2 by Kenny Buntinx [MVP]

We’ve become aware of two issues when using the Definition Update Automation Tool.

 

Definition Update Automation Tool fails to add new definition updates to the deployment package :

Symptoms

The FEP 2010 Definition Update Automation Tool may fail to add new definition updates to your deployment package. Reviewing the %ProgramData%\SoftwareUpdateAutomation.log file shows the following exception:

SmsAdminUISnapIn Error: 1 : Unexpected exception: System.ArgumentException: An item with the same key has already been added.
at System.ThrowHelper.ThrowArgumentException(ExceptionResource resource)
at System.Collections.Generic.Dictionary2.Insert(TKey key, TValue value, Boolean add)
at System.Collections.Generic.Dictionary
2.Add(TKey key, TValue value)
at Microsoft.Forefront.EndpointProtection.SoftwareUpdateAutomation.SccmUtilities.CalculateCleanupDelta(ConnectionManagerBase connection, ICollection`1 freshUpdateFilesObjectList, IResultObject destinationPackageObject)
at Microsoft.Forefront.EndpointProtection.SoftwareUpdateAutomation.SoftwareUpdater.Update(SoftwareUpdateAutomationArguments arguments)
at Microsoft.Forefront.EndpointProtection.SoftwareUpdateAutomation.SoftwareUpdater.Main(String[] args)

Cause

More than one FEP 2010 definition update is being detected as active by the tool.

Resolution

This blog article presents workarounds for the issues. You can find the blog on http://blogs.technet.com/b/clientsecurity/archive/2011/07/18/errors-when-using-the-fep-2010-definition-update-automation-tool.aspx

 

Hope it Helps ,

Kenny Buntinx

Forefront Endpoint Protection 2010 : Update Rollup 1 available for download

7:29 pm in ConfigMgr, ConfigMgr 2007, ConfigMgr 2007 R2, ConfigMgr 2012, ConfigMgr SP2, configmgr2007, ConfigMgr2007 R3, embedded, FEP, FEP2010, Installation, SCCM 2007, SCCM 2007 R2, SCCM 2007 R3, SCCM 2007 SP2, SCCM 2012, WES2009 by Kenny Buntinx [MVP]

Update Rollup 1 for Microsoft Forefront Endpoint Protection 2010 introduces new features and updates. These new features and updates are summarized below.

The following list is a summary of the updates in FEP Update Rollup 1 for server functionality.

Finally the Forefront team came up with a solution that since the release of the product they really missed .The following Microsoft website explains how to auto deploy forefront client security definition in a step-by-step guide. aka http://technet.microsoft.com/en-us/library/dd185652.aspx

In this step-by-step guide, they essentially go into the WSUS Console to create an Auto-Acceptance rule. First of all this should make any ConfigMgr admin shiver, as it should have been drilled into your head that you are supposed to do software updates management from the ConfigMgr administrator console. Now, I and many other SCCM admins have never understood why they didn’t solve that in a more elegant manner. The solution works, however has a couple of major drawbacks.

Additionally in a multi distribution point environment, the actual definition updates will always come from the Software update point, whereas normal software updates come from the distribution points. In other words, this impacts scale quite a bit, and forefront definitions come out at a very frequent pace meaning they are hitting you software update point harder than anything else.

The main problem, is that in SCCM 2007 we have no "easy" way to create an Auto-Approval rule. This will be solved in CM12 , until then , for the CM07 they will fix that mistake by update rollup 1. Soon I will launch a blog post to see if this is a real workable solution. So now you will have with Update Rollup 1 a tool that facilitates the use of the Configuration Manager software updates functionality to download FEP definition updates and make them available to client computers running the FEP client software.

In order to use the software updates feature for definition updates, you must perform the following high-level steps:

    • Download and install the Update Rollup 1 package.
    • Configure software updates to download definitions for FEP.
    • Configure the package by which the definition updates will be distributed, and configure the distribution settings for it.
    • Install and configure the FEP Software Update Automation tool.

 

  1. Addition of support for the FEP client software for Windows Embedded 7 and Windows Server 2008 Server Core. For more information on the added client support, see Prerequisites for Deploying Forefront Endpoint Protection on a Client
  2. The following list is a summary of the updates to FEP policies included with Update Rollup 1.
  • Update Rollup 1 for FEP 2010 adds a new FEP policy option to configure definition updates for FEP client computers. After installing Update Rollup 1 for FEP, you can configure FEP policies to update definitions from a Configuration Manager software update point.

    To configure FEP policies to update definitions from a Configuration Manager software update point

    • When you create a new FEP policy or edit an existing FEP policy, the new definition update options appears as follows:

      • When creating a new FEP policy, in the New Policy Wizard, on the Updates page, select the check box for Enable updates from Configuration Manager.
      • When editing an existing FEP policy in a Configuration Manager console that on which you installed the Update Rollup 1 for FEP, in the properties for a FEP policy, on the Updates tab, select the check box for Use Configuration Manager as primary source for definition updates.
  • Addition of two new preconfigured policy templates for the following server workloads:

    • Microsoft Forefront Threat Management Gateway
    • Microsoft Lync 2010

 

You will find the Forefront Endpoint Protection 2010  Update Rollup 1to download at the following location : http://www.microsoft.com/download/en/details.aspx?id=26583

 

Hope it Helps ,

 

Kenny Buntinx

FEP 2010 with ConfigMgr Integration : Computers are no longer accessible remotely

1:25 pm in ConfigMgr, ConfigMgr 2007, ConfigMgr 2007 R2, ConfigMgr SP2, configmgr2007, ConfigMgr2007 R3, FE, FEP, FEP2010, Installation, R3, SCCM 2007, SCCM 2007 R2, SCCM 2007 R3, SCCM 2007 SP2 by Kenny Buntinx [MVP]

Hi ,

When migrating slowly at a customer from Symantec Endpoint protection to FEP 2010 we encountered the following issue :

After the FEP client has been installed, the computer is no longer remotely accessible , even with RC.exe from System Center Configuration Manager

Problem Description : In some cases, after the FEP client has been installed, the computer is no longer remotely accessible using any form of remote control utility or Computer Management tools, including but not limited to Windows Computer Management, ConfigMgr Remote Control utility, DameWare, VNC. The cause has been found to be the Windows Firewall/ICS service that cannot be started. When an attempt is made to start the service, the resulting error is: Error 0x80004015: The class is configured to run as a security id different from the caller.

Possible solutions ( I say possible because it was linked to our environment) :

  • This appears to be the same error as reported in MS Support Article ID 892199, applicable to Windows XP SP2. The FEP client however is only installed on XP SP3 machines. When we used method 1 of the support article applied on the conflicting machine, the issue is resolved and is remotely accessible again. However we where not convinced and digged some deeper into it

 

  • I went with the default descriptor D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)

The Authentic Users group only gets read permissions, not start/stop permissions as I feared, so I’m fine with that. I just left out the Power Users group as it’s not used in our environment.

It is imperative that you test this on one or two systems before rolling it out, and make sure it works well in your environment. I used this KB to identify Local Service and Network Service: http://support.microsoft.com/kb/243330

     

    Hope it Helps ,

    Kenny Buntinx

Forefront Endpoint Protection 2010 : RC available today

7:28 am in FEP, FEP2010, ForeFront by Kenny Buntinx [MVP]

The Release Candidate of Forefront Endpoint Protection (FEP) 2010 shipped today and is now available for download here.  FEP was built on Configuration Manager 2007 (R2 and R3 supported), so anyone with Configuration Manager deployed now has the unique ability to deliver desktop security on your existing infrastructure.  That means you’ll have:

– A single console to manage health and protection of user systems

– One server infrastructure to maintain

– A single mechanism to deploy software and updates to clients

– Central policy implementation for security and management

– A single solution that desktop administrators need to be trained on, regardless of role

 

As an added plus, FEP will even detect and remove the most common client antimalware agents currently residing on your current systems to streamline deployment.

Give it a spin and try it out ( we do in TAP ) …

 

Hope it Helps,

Kenny Buntinx