FEP 2010 antimalware definition updates are not deployed as expected via an Automatic Deployment Rule in System Center 2012 Configuration Manager

Article
05/07/2012

Hi everyone, Peter Gallagher here and I wanted to talk about one of the new features in System Center 2012 Configuration Manager (ConfigMgr). The feature is the ability to automatically deploy software updates to clients and it can be utilized to automatically deploy Forefront Endpoint Protection 2010 antimalware definition updates to ConfigMgr clients. For more information on deploying Forefront Endpoint Protection 2010 with Configuration Manager as well as how to create an Automatic Deployment Rule for Forefront Endpoint Protection 2010 antimalware definition updates, please see the following: https://technet.microsoft.com/en-us/library/hh508770.aspx.

The issue I wanted to talk about was one where after following https://technet.microsoft.com/en-us/library/hh508770.aspx, antimalware definition updates may not be automatically deployed to clients as expected.

When this occurs, per the UpdatesDeployment.log and WindowsUpdate.log on the client, other software updates may be deployed successfully, but examining the UpdatesDeployment.log on the client shows that the client is not detecting Forefront Endpoint Protection 2010 as a product. The only indication of an error or problem will be the status of Forefront Endpoint Protection 2010 antimalware definition updates in the Windows Security Center on the client or the Configuration Manager console.

This issue can occur if the product “Forefront Endpoint Protection 2010” is not selected on the Software Update Point Component in Configuration Manager. An Automatic Deployment Rule in System Center 2012 Configuration Manager DOES NOT verify that the corresponding products or classifications that are selected are also selected on the Software Update Point itself.

To resolve this issue perform the following:

1. On the Central Administration Server (CAS), navigate to Administration\Overview\Site Configuration\Sites.

2. In the results pane on the right, highlight the servername that has the type of “CAS”. If you have a single server install, highlight the server listed.

3. In the ribbon at the top, click Configure Site Components and in the dropdown select Software Update Point.

4. Select the Products tab and then place a check next to Forefront Endpoint Protection 2010.

5. Review the Languages/Classifications tabs to ensure that the items selected in the Automatic Deployment Rules are also selected on the properties of the Software Update Point. Click OK when complete. There is no need to manually initiate a synchronization as Configuration Manager will detect a change (step 4 above) and automatically start a synchronization.

Note that this example is specific to Forefront Endpoint Protection 2010 antimalware definition updates, however the process applies to any Automatic Deployment Rule in System Center 2012 Configuration Manager. If a product/classification is selected in an Automatic Deployment Rule, the corresponding product/classification must be selected in the Software Update Point configuration screen.

Peter Gallagher | System Center Support Engineer

Get the latest System Center news on Facebook and Twitter :

The Forefront Server Protection blog: https://blogs.technet.com/b/fss/
The Forefront Endpoint Security blog : https://blogs.technet.com/b/clientsecurity/
The Forefront Identity Manager blog : https://blogs.msdn.com/b/ms-identity-support/
The Forefront TMG blog: https://blogs.technet.com/b/isablog/
The Forefront UAG blog: https://blogs.technet.com/b/edgeaccessblog/

FEP 2010 antimalware definition updates are not deployed as expected via an Automatic Deployment Rule in System Center 2012 Configuration Manager

Additional resources