During a recent project to roll out Windows Updates using System Center Configuration Manger 2007 R2 (SCCM) I wanted to deploy updates to a user group.  Unfortunately, SCCM will only deploy Windows Updates to a collection that contains computers, not users.  I used the code below to create a SCCM collection that contains the computer that was last logged onto by a member of a given Active Directory group.

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_COMPUTER_SYSTEM on SMS_G_System_COMPUTER_SYSTEM.ResourceId = SMS_R_System.ResourceId where SMS_G_System_COMPUTER_SYSTEM.UserName in (select UniqueUserName  from  SMS_R_User where SMS_R_User.UserGroupName = “DOMAIN\\GROUPNAME“)

To use the code follow the steps below.

Firstly, start the new collection wizard, enter a name and click Next

Click on the button highlighted in yellow bellow.

Enter a name and click Edit Query Statement

Paste in the code replacing the domain and group name with your own.  Click OK and finish the wizard.

If you need a list of System Center Configuration Manager (SCCM) collections with maintenance windows, run this query against the SCCM site database using SQL Server Management Studio.

SELECT c.Name, c.Comment,SW.Description, SW.StartTime, SW.Duration
FROM v_ServiceWindow SW
JOIN v_Collection C ON C.CollectionID = SW.CollectionID
ORDER BY c.Name

These are brief notes on how configure ForeFront Endpoint Protection (FEP) 2010 to work with System Center Configuration Manager (SCCM) 2007 R2 and set the FEP client to receive definition updates from the SCCM server.

Install the FEP 2010 prerequisites on the SCCM http://technet.microsoft.com/en-us/library/ff823830.aspx

Install FEP on the server.  I chose a Basic installation as I wanted all components to install on to the SCCM server.

I wanted the FEP updates to be controlled by SCCM, so installed this hotfix http://support.microsoft.com/kb/2597508

Next I downloaded the Definition Update Automation Tool for Forefront Endpoint Protection 2010 Update Rollup 1 http://blogs.technet.com/b/clientsecurity/archive/2011/11/03/how-to-use-the-definition-update-automation-tool-for-forefront-endpoint-protection-2010-update-rollup-1.aspx

Follow the instructions at the link above under the section “How to Configure Configuration Manager for Forefront Endpoint Protection Update and Create Deployment Package and Assignment”  This creates a Deployment Package and Assignment to install the FEP definition updates.

To schedule the update of the FEP definition package with the latest definitions follow the instructions under the section “How to Use Definition Update Automation Tool with Task Scheduler”.

Open your FEP policy and in the Updates tab tick “Use Configuration Manager as the primary source of definition updates”

As I configured the FEP updates to be controlled by SCCM, when the FEP client is first installed the icon turns red because the definitions are out of date.  If you leave the client, it will eventually have the latest definitions pushed to it by SCCM.  However, I wanted to have protection from installation.  In order to get this working I enabled automatic approval of the FEP updates within WSUS.  Using the FEP policy you’re able to tell FEP to go to WSUS for updates if the definitions are older than x days.

To configure WSUS, open the WSUS console from Administrative Tools and navigate to Options.  Open Automatic Approvals, click New Rule and configure it as below.  WSUS will now automatically download FEP updates and they’ll be available to FEP clients via the policy.

 

If you still have issues with the FEP client updating after installation e.g. when deploying as part of an SCCM operating system task sequence, you can force a definition from a file share.  Setup a script to download the definitions to a share and schedule it to run daily using Task Scheduler.  These two posts provide information on how to create the script: http://blogs.technet.com/b/clientsecurity/archive/2010/09/16/using-a-script-to-automate-unc-definition-updates.aspx http://technet.microsoft.com/en-us/library/gg398041

In the SCCM task sequence add a reboot task after FEP has been installed.  Configure the reboot step to reboot into the currently installed operating system

 

Next, add a Command Line step.  Update the share path to match the location of the FEP definitions in your environment.  This will run a manual definition update from the file share.