Automatically Deploying Forefront Endpoint Protection Updates through SCCM

While Forefront Endpoint Protection 2010 (FEP) is integrating with System Center Configuration Manager 2007 R2 (ConfigMan) for management and monitoring, out of the box there is no preferred method for pushing updates using SSCM’s Advertisements.

Out of the box, FEP supports 5 methods of getting updates:

While we have a lot of options, some customers really want to use the Distribution Points and Advertisement in ConfigMan, as they have an existing investment in this and want the most control of the network bandwidth.

In the next version of ConfigMan, Microsoft hopes to include options for automatically approving updates, something that WSUS has and ConfigMan does not.  Until then, this article addresses one approach by leveraging the existing SSCM’s deployment methods.

Architecture:

To accomplish this with ConfigMan 2007 R2, we will follow this architecture below:

 Step 1 and 2:      We execute a scheduled script that:

1.       Determines the current engine version

2.       Determines the current signature version

3.       Downloads either a delta update (if engine and signature have not passed the rebase period) or a full update

4.       Copies the downloaded file to a location for ConfigMan

Step 3:                  On a scheduled basis, we update the remote distribution points with the new update

Step 4:                  On a scheduled basis, the client (re)run the update Forefront advertisement

 

Setup:

While this entire setup could be scripted, part of this article try’s to fully explain what and how things are setup.

Step 1.   Create the directories C:FEPUpdates, C:FEPUpdatesscript and C:FEPUpdatesdefs on the Primary Site Server.

Step 2.   In the C:FEPUpdatesscript directory, create the VBS Script in appendix A (can be downloaded from here <get script>).

Step 3.   Schedule the script to run every 6 hours via the Windows Task Scheduler as shown below, (note, because this will be a scheduled task, you will need a service account with a non-expiring password):

 

 

 

Step 4.   Manually run the scheduled task, so that  your directory structure and files will be populated before you setup the program and advertisement in ConfigMan.

Step 5.   Create a package in ConfigMan to where the package updates from the source every 7 hours as shown below:

Step 6.   Create a program in the above package that runs the command cmd.exe /c “%PROCESSOR_ARCHITECTURE%mpam-d.exe” as shown below:

 

Step 7.   Schedule a reoccurring advertisement  in ConfigMan that runs every 8 hours, as shown below:

Appendix A – Download script

    ‘Forefront Endpoint Protection 2010 Delta Definition Download

    ‘Customer needs to modify these for local environment
    ‘================================================================================================
    strRootLocation =  “C:FEPUpdatesDefs”     ‘ this need to be modified to local path for root of the folder structures for updates
    strLogFile =   “C:FEPUpdatesscriptDefDownloadv5.log”  ‘ set this to where you want to save the log file at if not placing in strRootLocation then will need to insure that folder structure exists and specify full path
    strLogData =   “”
    ‘================================================================================================
 
    ‘Constants to not modify value in this area
    ‘================================================================================================
    Const ForReading = 1, ForWriting = 2, ForAppending = 8, WindowsFolder = 0
    Const TristateUseDefault = -2, TristateTrue = -1, TristateFalse = 0
    ‘================================================================================================

    LogToEventLog =  True
    strSigNameDelta =  “mpam-d.exe”
    AVDelta =   reduceByOne(ReadReg(“HKLMSOFTWAREMicrosoftMicrosoft AntimalwareSignature UpdatesAVSignatureVersion”))
    ASDelta =   reduceByOne(ReadReg(“HKLMSOFTWAREMicrosoftMicrosoft AntimalwareSignature UpdatesASSignatureVersion”))
    Engine =    ReadReg(“HKLMSOFTWAREMicrosoftMicrosoft AntimalwareSignature UpdatesEngineVersion”)
    strMSEx86URLDelta =  “http://go.microsoft.com/fwlink/?LinkID=121721&clcid=0x409&arch=x86&eng=” & Engine & “&avdelta=” & AVDelta & “&asdelta=” & ASDelta
    strMSEx64URLDelta =  “http://go.microsoft.com/fwlink/?LinkID=121721&clcid=0x409&arch=x64&eng=” & Engine & “&avdelta=” & AVDelta & “&asdelta=” & ASDelta

  ‘=============== Logging Function =======================================

    Set objFSO = Createobject(“Scripting.FileSystemObject”)
    if (not objFSO.FileExists(strLogFile)) then
        objFSO.CreateTextfile strLogFile
        set fileObj = objFSO.GetFile(strLogFile)
        set logStream = FileObj.OpenAsTextStream(ForAppending, TristateUseDefault)
        logstream.writeline now & ” ” & “Log file created and opened”
    else
     set fileObj = objFSO.GetFile(strLogFile)
     set logStream = FileObj.OpenAsTextStream(ForAppending, TristateUseDefault)
    end if

  ‘=============== Logging Function =======================================

  
  ‘======================================================
  ‘= Sub to downlaod and save the files
  ‘= __in objConnection winhttprequest object
  ‘= __in strURL the url of the fiel to download
  ‘= __in strPAth the path to save the file to
  ‘= __ FileName name of the file to be saved
  sub DownloadDefs(objConnection, strURL, Path, FileName, logfile)
    ‘turn on error handeling
     on error resume next
    ‘copy PAth to temp variable to manipulate
    strPath = Path
   
    ‘check to see if the URL for x86 or x64 was passed
    set regEx = new RegExp
    regEx.Pattern = “x86”
    regEx.IgnoreCase = True
    regEx.Global = False

    if (regEx.Test(strUrl)) then
        strPath = strPath + “” + “x86”
     Else
        strPath = strPath + “” + “AMD64″
     end if

    LogData ” > Download of ” & strURL & ” started at: ” & now
    objConnection.open “GET”, strURL, false
    if (err.Number <> 0) then
           LogData now & ” ” & “Error # ” & CStr(err.number) & ” ” & Err.Description & ” Source: ” & Err.Source
           Err.Clear
           exit sub
    end if
    objConnection.send()
    if (err.Number <> 0) then
           LogData now & ” ” & “Error # ” & CStr(err.number) & ” ” & Err.Description & ” Source: ” & Err.Source
           Err.Clear
           exit sub
    end if

    ‘check to see if download was successful before moving on
    If objConnection.Status = 200 Then
        Set objADOStream = CreateObject(“ADODB.Stream”)
        objADOStream.Open
        objADOStream.Type = 1 ‘adTypeBinary

        objADOStream.Write objConnection.ResponseBody
        objADOStream.Position = 0    ‘Set the stream position to the start

        Set m_objFSO = Createobject(“Scripting.FileSystemObject”)
        ‘check if folder structure exists
       
        if (m_objFSO.FolderExists(strPath)) then
             ‘create complete path
             strCompletePath = strPath + “” + FileName
             ‘check if file exists if so delete
             If m_objFSO.FileExists(strCompletePath) Then m_objFSO.DeleteFile(strCompletePath) end if
                   if (err.Number <> 0) then
                     LogData now & ” ” & “Error # ” & CStr(err.number) & ” ” & Err.Description & ” Source: ” & Err.Source
                     Err.Clear
                     exit sub
                end if
           
         else
           m_objFSO.CreateFolder(strPath)
           strCompletePath = strPath + “” + FileName
           If m_objFSO.FileExists(strCompletePath) Then m_objFSO.DeleteFile(strCompletePath) end if
            if (err.Number <> 0) then
                LogData now & ” ” & “Error # ” & CStr(err.number) & ” ” & Err.Description & ” Source: ” & Err.Source
                Err.Clear
                exit sub
            end if
        end if
   
        objADOStream.SaveToFile(strCompletePath)
        if (err.Number <> 0) then
           LogData now & ” ” & “Error # ” & CStr(err.number) & ” ” & Err.Description & ” Source: ” & Err.Source
           Err.Clear
        end if
        objADOStream.Close
        LogData ” >> ” & strCompletePath & ” Successfuly downloaded at: ” & now
    end if
    ‘Cleanup
    strCompletePath = “”
    strPath = “”
    Set objADOStream = Nothing
    Set m_objFSO = Nothing
 end sub

 function reduceByOne(versionnumber)
  versionnumberSplit= Split(versionnumber,”.”)
  reduceByOne = versionnumberSplit(0) & “.” & versionnumberSplit(1) & “.” & versionnumberSplit(2)-1 & “.” & versionnumberSplit(3)
 end function

 sub LogData(mydata)
  logStream.writeline mydata
  if LogToEventLog then strLogData = strLogData & vbcrlf & mydata
 end sub

 sub WriteToEventLog()
  Set WshShell = WScript.CreateObject(“WScript.Shell”)
  WshShell.LogEvent 0, strLogData
 end sub

 Function ReadReg(RegPath)
  Dim objRegistry, Key
  Set objRegistry = CreateObject(“Wscript.shell”)
  Key = objRegistry.RegRead(RegPath)
  ReadReg = Key
 End Function

 ‘=======================================================================================
 ‘=== Main program body
 ‘=======================================================================================

 ‘Turn on error handeling for Main program body
 on error resume next
 
 ‘ create WINHTTP object used to retrieve the file
 Set objWINHTTP = CreateObject(“WinHttp.WinHttpRequest.5.1″)

 LogData ” ”
 LogData “==================== ” & now & ” Download Session started ====================”

 DownloadDefs objWinHTTP, strMSEx86URLDelta, strRootLocation, strSigNameDelta, logstream
 DownloadDefs objWinHTTP, strMSEx64URLDelta, strRootLocation, strSigNameDelta, logstream

 LogData “===================== ” & now & ” Download Session ended =====================”

 if LogToEventLog then WriteToEventLog()

‘Clean UP
set objFSO = nothing
Set objWINHTTP = Nothing

Author:

Kevin Saye, Security Technical Specialist – Microsoft

One thought on “Automatically Deploying Forefront Endpoint Protection Updates through SCCM”

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.