Archive for the ‘Endpoint Protection’ Category

Errors When Using the FEP 2010 Definition Update Automation Tool

by Michael Cureton

We’ve become aware of two issues when using the Definition Update Automation Tool. This blog article presents workarounds for the issues.

Definition Update Automation Tool fails to add new definition updates to the deployment package



The FEP 2010 Definition Update Automation Tool may fail to add new definition updates to your deployment package. Reviewing the %ProgramData%\SoftwareUpdateAutomation.log file shows the following exception:

SmsAdminUISnapIn Error: 1 : Unexpected exception: System.ArgumentException: An item with the same key has already been added.
  at System.ThrowHelper.ThrowArgumentException(ExceptionResource resource)
  at System.Collections.Generic.Dictionary`2.Insert(TKey key, TValue value, Boolean add)
  at System.Collections.Generic.Dictionary`2.Add(TKey key, TValue value)
  at Microsoft.Forefront.EndpointProtection.SoftwareUpdateAutomation.SccmUtilities.CalculateCleanupDelta(ConnectionManagerBase connection, ICollection`1 freshUpdateFilesObjectList, IResultObject destinationPackageObject)
  at Microsoft.Forefront.EndpointProtection.SoftwareUpdateAutomation.SoftwareUpdater.Update(SoftwareUpdateAutomationArguments arguments)
  at Microsoft.Forefront.EndpointProtection.SoftwareUpdateAutomation.SoftwareUpdater.Main(String[] args)



More than one FEP 2010 definition update is being detected as active by the tool.

More Information

The FEP 2010 Definition Update Automation tool queries WMI (SELECT * FROM SMS_SoftwareUpdate WHERE ArticleID=2461484 AND IsSuperseded=0 AND IsEnabled=1) to get the single active FEP 2010 definition update. The exception happens as a result of more than one update being returned. The tool may detect more than one update as being active when one of the two conditions is TRUE:

  1. One or more FEP 2010 definition updates has been expired but not superseded, OR
  2. One or more FEP 2010 definition updates has been orphaned.

To confirm if you’re experiencing condition #1 or #2, run the below WMI query:

SELECT * FROM SMS_SoftwareUpdate WHERE ArticleID=2461484 AND IsSuperseded=0 AND IsEnabled=1 AND IsExpired=0

If the query only returns one row, then you are experiencing condition #1. If two or more rows are returned, you are experiencing condition #2.


Condition #1

If you are experiencing condition #1, you can prevent the symptom by simply adding the /UpdateFilter flag to the command line for the tool (SoftwareUpdateAutomation.exe) with the appropriate values to filter out expired definition updates that are not superseded.

For example:

SoftwareUpdateAutomation.exe /AssignmentName <AssignmentName> /PackageName <DeploymentPkgName> /UpdateFilter “ArticleID=2461484 AND IsSuperseded=0 AND IsEnabled=1 AND IsExpired=0”

Condition #2

If you are experiencing condition #2, you will need to manually decline the orphaned updates via the WSUS administration console. For each update returned from the WMI query that you used to confirm that you have condition #2, double-click on the LocalizedDisplayName property and note the definition version. The update with the highest definition version will be the active one. The update(s) with the lower definition versions have been orphaned.

For example, using the list below, 1.107.713.0 would be the active update and the other two updates are orphaned and would need to be declined manually in WSUS.

Definition Update for Microsoft Forefront Endpoint Protection 2010 – KB2461484 (Definition 1.103.1405.0)
Definition Update for Microsoft Forefront Endpoint Protection 2010 – KB2461484 (Definition 1.105.2231.0)
Definition Update for Microsoft Forefront Endpoint Protection 2010 – KB2461484 (Definition 1.107.713.0)

After you have determined the orphaned update(s) title (and version), load the WSUS snap-in and drill down to the Updates node. On the action pane, click New Update View. Select “Updates are in a specific classification” and “Updates are for a specific product”. In step 2, click any classification and ensure that only Definition Updates is checked. Next click any product and ensure that only Forefront Endpoint Protection 2010 is checked. In step 3, specify a name for the view and click OK.

Locate the created view in the WSUS console. Change the Approval value to “Any Except Declined” and the Status to “Any” and hit Refresh. Click the Title column so that the results are sorted using the version. Find the orphaned update(s) that you identified by version and select the Decline action for each. Once this is complete, you’ll need to wait for the next scheduled Software Update Point (SUP) sync to complete, at which time the updates that you declined will be marked as expired in the ConfigMgr database.

NOTE: Running a manual SUP sync will NOT expire the declined updates. Only a scheduled sync will perform this operation.

Once the sync is complete, you can run the WMI query used to determine condition to confirm that only one row is now returned. You will also need to run the tool going forward using the condition #1 workaround with the /UpdateFilter flag.

Definition Update Automation Tool does not refresh distribution points



The FEP 2010 Definition Update Automation Tool does not refresh distribution points (DPs) by default. Even though the help output for the tool states that /RefreshDP is set by default, it is not.



Add /RefreshDP to the command line for the tool (SoftwareUpdateAutomation.exe). For example:

SoftwareUpdateAutomation.exe /AssignmentName <AssignmentName> /PackageName <DeploymentPkgName> /RefreshDP

Monitoring Forefront Endpoint Protection 2010 – the FEP Dashboard

November 9th, 2010 Comments off

Forefront Endpoint Security 2010 (FEP) Release Candidate was just released. In this post, we will discuss ways for administrators to monitor FEP. There are several monitoring features provided with FEP2010 – this is the first in a series of posts about these monitoring features.

One of the key architecture changes from FCS is FEP’s alignment with System Center Configuration Manager. Configuration Manager provides the platform for client distribution and policy settings, as well as data collection to and from clients.

The FEP Dashboard is an extension to the Configuration Manager console. After deploying the FEP console extension to Configuration Manager (either on the server or on administrator’s laptop), a new node appears in the navigation tree called “Forefront Endpoint Protection” (see Figure 1).


  • Provide a single pane of information to an administrator who needs to know how FEP is doing, as well as a starting point for drill down into FEP features and troubleshooting.
  • Serves as a Launchpad for the administrator to drill down to troubleshooting or other day to day tasks.


Figure 1 – FEP Dashboard

Capabilities of the FEP dashboard (see the labeled figure above):


    1. Computers targeted by FEP: Unlike other security suites, FEP does not require a new discovery mechanism for computers in the organization. Instead, it queries the Configuration Manager database for workstations, laptops and servers (dropping mobile devices). Once discovered, the administrator may decide to protect the clients by creating a software distribution advertisement for collections containing all the clients.
      • Tip: Administrators can open the FEP collections and drill down to the “Deployment\Not Targeted” collection to identify those computers that are going to be unprotected without manual intervention (e.g. creating an advertisement).
      • Tip: The only way to capture administrator’s intention is to have the FEP related advertisement to active (never expire). Make sure you have this checked when creating your own.
    2. Deployment status: Once an administrator starts to deploy FEP on clients, the clients are moved from the “not targeted” collection to one of the following deployment states:
      • Locally Removed – Computers where the FEP client was locally removed either by a user with local administrator permission or by another software (e.g. malware).
      • Failed – Computers for which the FEP client setup program reported a failure.
      • Pending – Computers for which an active Configuration Manager software distribution advertisement is trying to install the FEP client.
      • Out of date – Computers for which the reported FEP version is older than the one installed at the server.
      • Deployed – Computers with FEP client deployed.
    3. Health status: For those computers either in “deployed” or “out of date” state, the FEP dashboard provides additional health information:
      • Protection inactive – The FEP service is reported to be turned off.
      • Not responding – Computers which have not reported for the last 14 days.
      • Healthy – Neither of the above.
    4. Malware activity status: Shows computers with malware activity. FEP surfaces computers with the following infection states:
      • Infected – Computers where FEP could not fully mitigate a malware instance.
      • Restart\Full scan required – Computers where FEP mitigated a malware incident but requires additional action in order to complete the mitigation.
      • Recent activity – Computers where malware was detected and successfully mitigated (within the last 24 hours).
    5. Definition status: Enables administrators to drill down into computers which failed to update their FEP definitions.
    6. Policy distribution: Enables administrators to drill down into computers where Configuration Manager failed to distribute FEP policy.
    7. FEP baselines: Presents administrators with a quick compliance view into the FEP baselines.
      • Tip: Administrators may create their own DCM baselines and use FEP Configuration Items (CIs). In order to add (or remove) baselines to the FEP dashboard, a “FEP” category should be added (or removed) to the baseline.
      • Note: The FEP dashboard is built on top of Configuration Manager collections. Each of the hyperlinks in the FEP dashboard leads to a collection which holds the actual computers sharing the same symptom.

Ziv Rafalovich,
Senior Program Manager