ForeFront Client Security

Discussion in 'Update Services' started by Sawyer, Jul 24, 2009.

  1. Sawyer

    Sawyer Guest


    I am running WSUS 3.0 sp1 on Windows 2008. Currently we are using WSUS to
    push patches out to all of our servers, and we are using group policy to
    deploy patches. The GPO is set to 3 "auto download and notify for install"
    We manually go into WSUS and approve the patches that we want the servers to
    get by approving them for a particular group. In WSUS we seperate servers
    into group and these groups match the OU name the servers are in. We now
    have installed Forefront client security and the servers will be getting the
    client from WSUS. When i force the server to check in with the WSUS server
    to force the FFC install the server will notify the admin on the box that an
    update is available for install, and this is the problem i am running into.
    We have 800 servers, and it would take months if admins had to manually log
    onto the server and manually install the FFC, i know i can automatically
    approve updates, and i have, but this setting doesnt automatically install
    the FFC, it only automatically installes the updates for the client.

    How can i get the main FFC to be automatically installed, and at the same
    time all other security and critical updates need to be manually approved in
    WSUS and the server notifys the admin for install? I cant create multiple
    GPO's one gpo is set to 3 and is meant for manual approval in WSUS, and
    another GPO is set to 4, because in WSUS as far as i know machines cant be
    members of multiple groups.

    Thanks for any help on this
    Sawyer, Jul 24, 2009
    1. Advertisements

  2. Set an *expired* deadline on the Forefront Client package, and the Forefront
    Client will be installed immediately upon detection (be careful about
    required system restarts).
    Actually they *can* be members of multiple WSUS target groups, but multiple
    group memberships won't solve this problem. The machine can still only have
    one composite policy configuration applied, and only one AUOptions value
    active -- so your conclusion is valid, even though your reasoning is

    Lawrence Garvin, M.S., MCITP:EA, MCDBA
    Principal/CTO, Onsite Technology Solutions, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2009)

    MS WSUS Website:
    My MVP Profile:
    Lawrence Garvin [MVP], Jul 24, 2009
    1. Advertisements

  3. Sawyer

    Sawyer Guest

    Briliant recomendation this should do the trick. As far as i know the FFC
    doesnt require a restart even when automatically installed, so i should be
    ok with this, but i will have to test this out in a lab to make sure. Thanks
    Sawyer, Jul 24, 2009
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.