Deploying FCS definition updates with a shared System Center Configuration Manager WSUS infrastructure

Applies To: Forefront Client Security

Published: October 2008

Author: Kevin Colby, Secure Vantage Technologies Inc.

Overview

In an enterprise environment using Microsoft Forefront Client Security (FCS), it is important to be able to quickly and easily deploy antimalware (antivirus and antispyware) definition updates throughout the organization. FCS accomplishes this by leveraging Windows Server Update Services (WSUS), which is also leveraged by Microsoft System Center Configuration Manager 2007. While FCS makes use of the WSUS engine in order to deploy definition updates to all of the clients FCS manages, System Center Configuration Manager uses WSUS to provide metadata to the scanning engine on Configuration Manager clients that facilitate software updates.

When customers already have a System Center Configuration Manager infrastructure in place, FCS must use that same WSUS infrastructure, as the local Windows Update Agent can only be assigned to a single WSUS server. This means that the WSUS infrastructure will be a shared resource for both FCS and Configuration Manager.

This document provides guidance on how to configure FCS definition updates to use an existing Configuration Manager WSUS infrastructure while ensuring that both Configuration Manager and FCS function properly and work together in harmony. Please note this guide does not include instructions on how to configure Configuration Manager in an existing FCS WSUS infrastructure.

Note

Customers using Configuration Manager must leverage their existing WSUS infrastructure hierarchy to manage FCS definition updates, as the Windows Update Agent can only be assigned to a single WSUS server.

FCS definition updates

The goal of this document is to provide guidance for automatically deploying your FCS definition updates using the WSUS infrastructure shared with Configuration Manager for software updates. The guide details how to configure the shared WSUS server to download, approve, and distribute FCS definition updates. The end result of following this guide will be all FCS clients retrieving their definition updates through an existing Configuration Manager WSUS or software update point server.

This document assumes that you have a functional Configuration Manager software update infrastructure. For information about deploying Configuration Manager, see Planning and Deploying the Server Infrastructure for System Center Configuration Manager 2007 (https://technet.microsoft.com/en-us/library/bb680397.aspx).

This document also assumes that all FCS management roles and clients, except for the Distribution Server role, are deployed within the organization. For information about deploying FCS, see Deployment (https://technet.microsoft.com/en-us/library/bb404259.aspx).

Note

There is no specific role played by Configuration Manager in the definition update process; all definition updates are managed via WSUS. Internet-facing clients will only be able to get antivirus definitions from the WSUS infrastructure when they are connected to the intranet.

Microsoft supported configurations

Refer to Supported configurations for using WSUS to distribute Forefront Client Security Definition updates within System Center Configuration Manager 2007 (https://support.microsoft.com/default.aspx/kb/958491) for supported FCS and Configuration Manager shared configurations. At the time of publication, the following scenarios are officially supported by Microsoft:

• Supported configurations of FCS v1 and System Center Configuration Manager 2007

  • Configuration Manager 2007 and FCS 1.0

    • With WSUS 3.0

    • On Windows Server 2003 Service Pack 2 (SP2) x86-based systems

    • For 25,000 clients per WSUS server, without network load balancing

  • Configuration Manager 2007 SP1 and FCS 1.0

    • With WSUS 3.1

    • On Windows Server 2003 SP2 x86-based systems

    • For 25,000 clients per WSUS server, without network load balancing

  • Configuration Manager 2007 SP1 and FCS 1.0 SP1

    • With WSUS 3.1

    • On Windows Server 2008 x86-based systems or Windows Server 2003 SP2 x86-based systems

    • For 25,000 clients per WSUS server, without network load balancing

Prerequisites

The following list represents the general configuration requirements to support this integration:

• WSUS 3.0 or WSUS 3.1

• FCS distribution component not deployed

• Computers running SQL Server must be set to not be case sensitive for Configuration Manager, FCS, and WSUS databases

• WSUS and Configuration Manager software update point must be located on same machine, as required for Configuration Manager deployment. For more information, see How to Add the Software Update Point Site Role to a Site System (https://technet.microsoft.com/en-us/library/bb680313.aspx).

• There can be no Group Policy objects (GPOs) forcing the selection of a specific WSUS server if you have Configuration Manager clients that roam between Configuration Manager sites. If there is a GPO enforcing a WSUS server that is not the current site’s software update point, software updates will not function properly.

Configuration

The configuration process consists of five basic steps. For environments with multiple Configuration Manager software update points, please note the following steps must be repeated, depending on applicability:

• Step 1 should be performed at the top level of each Configuration Manager hierarchy within your environment.

• Steps 3 and 4 must be completed on all software update points within the hierarchy.

To configure FCS definition updates to use an existing Configuration Manager WSUS infrastructure

1. In the Configuration Manager console, update the WSUS updates synchronization settings on the Configuration Manager software update points in order to include the FCS definition updates. This is done as a precautionary measure only to ensure that Configuration Manager does not attempt to change the synchronization settings later configured in WSUS. All updating of the FCS definitions will be done through the WSUS instance attached to the Configuration Manager site. This step should be completed at the top site in each Configuration Manager hierarchy within your environment. Do the following:

   Note

   It is recommended that you limit the number of WSUS updates to only the types that are needed, including update categories, products, and languages. Synchronizing unnecessary updates may consume resources unnecessarily and impact the performance on all site servers and software update points within the Configuration Manager hierarchy. For more information about software update synchronization in Configuration Manager, see About Software Updates Synchronization (https://technet.microsoft.com/en-us/library/bb632485.aspx).

   1. Launch the Configuration Manager console.

   2. Navigate to Component Configuration.

      

   3. Right-click the Software Update Point Component, and then click Properties.

      

   4. On the Properties dialog box, click the Classifications tab, and then verify that Definition Updates is selected.

      

   5. Click the Products tabs, ensure that the Forefront Client Security check box is selected, and then click OK.

2. Close the Configuration Manager console, and then open the Windows Server Update Services 3.0 or 3.1 console.

3. Create an Auto-Acceptance rule to automatically accept updates of the category Definition Updates in order to automatically accept any new definition updates as they come in. This will ensure that your FCS clients get the definition updates as quickly as possible and with the least administrative overhead. This step should be completed on every Configuration Manager software update point in your environment. Do the following:

   Note

   It is important that the Auto-Acceptance rule only include definition updates in order to ensure that software updates are only deployed through Configuration Manager. For further information on Auto Acceptance rules, see Approving the Updates (https://technet.microsoft.com/en-us/library/cc708474.aspx).

   1. Open the Microsoft Windows Server Update Services console.

   2. Click the Options node.

   3. Open the Automatic Approvals dialog box, and then click New Rule.

      

   4. On the Add Rule dialog box, select the When an Update is in a Specific Classification check box.

   5. Click Any Classification.

      

   6. On the Choose Update Classifications dialog box, clear any selected boxes and select the check box next to Definition Updates, and then click OK.

   7. Click OK to accept All Computers as the target for the Auto-Approval Rule.

      Note

      You may alter the Targeted computers, but it is recommended that you accept the default of All Computers.

   8. Specify a name for the rule, e.g. “FCS Definition Update Auto-Approval”.

   9. Click OK to accept the new rule after verifying the settings.

   10. On the Automatic Approvals dialog box, click OK to exit and apply the new rule.

4. Configure an automatic synchronization schedule in WSUS that is appropriate to the timings desired for definition updates. This is done in WSUS instead of Configuration Manager in order to minimize the impact on the Configuration Manager hierarchy. If the update schedule is accelerated in Configuration Manager, this will require that all downstream sites synchronize not only their WSUS instance but also the site server to the WSUS database, which may be undesirable. For more information on the software update point synchronization schedule, see Planning for the Software Update Point Settings (https://technet.microsoft.com/en-us/library/bb694108.aspx). This step should be completed on every Configuration Manager software update point in your environment. Do the following:

   1. In the WSUS console, navigate to the Options node.

   2. Open the Synchronization Schedule dialog box.

      

   3. Configure a synchronization schedule that best matches your needs, keeping in mind that definition updates may be released as many as three times per day. For more information about FCS definition updates and performance planning, see Definition updates and performance (https://technet.microsoft.com/en-us/library/bb418846.aspx).

   4. Click OK to exit the dialog box.

5. Validate that definition updates are being deployed in your environment as expected. For more information, see Ensuring that updates were deployed (https://technet.microsoft.com/en-us/library/bb418786.aspx).

Note

While Configuration Manager plays no role in FCS definition updates, it can be used to automate FCS agent deployments and patches plus provide FCS configuration assessments via a desired configuration management component.