A new version of this tool has been released and some of the issues mentioned here have been fixed.

Refer here first: http://blogs.technet.com/b/configmgrteam/archive/2011/11/01/how-to-use-definition-update-automation-tool-for-forefront-endpoint-protection-2010-update-rollup-1.aspx

*******************************************************************************

This blog list some issues you may meet when using the SoftwareUpdateAutomation.exe tool and provide the workarounds. This blog also give a list of best practice you should follow when using this tool.

Issue 1: SoftwareUpdateAutomation.exe tool can retrieve more than one FEP 2010 definition up.

Symptoms:

SoftwareUpdateAutomation.exe fail to add new definition updates to your deployment package.

Reviewing the %ProgramData%\SoftwareUpdateAutomation.log file shows the following exception:

SmsAdminUISnapIn Error: 1 : Unexpected exception: System.ArgumentException: An item with the same key has already been added.

at System.ThrowHelper.ThrowArgumentException(ExceptionResource resource)

at System.Collections.Generic.Dictionary`2.Insert(TKey key, TValue value, Boolean add)

at System.Collections.Generic.Dictionary`2.Add(TKey key, TValue value)

at Microsoft.Forefront.EndpointProtection.SoftwareUpdateAutomation.SccmUtilities.CalculateCleanupDelta(ConnectionManagerBase connection, ICollection`1 freshUpdateFilesObjectList, IResultObject destinationPackageObject)

at Microsoft.Forefront.EndpointProtection.SoftwareUpdateAutomation.SoftwareUpdater.Update(SoftwareUpdateAutomationArguments arguments)

at Microsoft.Forefront.EndpointProtection.SoftwareUpdateAutomation.SoftwareUpdater.Main(String[] args)

Root cause:

More than one FEP 2010 definition update has been detected as active by the tool. This could happen in the following two scenarios:

1. You set WSUS to sync for more than 30 days. WSUS will only go back 30 days, so it will not expire the update definition which is more than 30 days older.
2. You run a delt synchronization on Configuration Manager. Configuration Manager delta synchronization (manual synchronization) will only synchronize non-expired/non-superseded updates. So it will not expire the old definition updates even though it has already been superseded in WSUS database.

Workarounds:

The best way to avoid this issue is to create appropriate WSUS synchronization schedule (suggested to run 1 time per day) and make sure the tool only run after a full synchronization is done.

However, if you have already met this issue, use the following workaround:

  1. Use WMI to determine if more than one FEP 2010 definition update is considered active by the tool. Run this WQL query: SELECT * FROM SMS_SoftwareUpdate
    WHERE ArticleID=2461484 AND IsSuperseded=0 AND IsEnabled=1.
  2. If more than one update is returned, check the IsExpired value for each update. If all but one update has the IsExpired value set to TRUE then the simple workaround is to run the tool with the /UpdateFilter parameter adding the IsExpired attribute. For example: /UpdateFilter “ArticleID=2461484 AND IsSuperseded=0 AND IsEnabled=1 AND IsExpired=0
  3. If the results of the WQL query lists multiple updates with the IsExpired value set to FALSE, then some FEP 2010 definition updates have been orphaned. For each update returned, double click on the LocalizedDisplayName property and note the definition version. The update(s) with the lowest definition versions have been orphaned.
  4. Once you have determined the orphaned update(s) (IsSuperseded=0 and IsExpired=0 but the definition version is not the highest in the list), you will need to manual decline them using the WSUS administrator console. Then run a Full (scheduled) Synchronization to expire the declined updates in the ConfigMgr database. NOTE: Running a manual sync will NOT expire the declined updates. After the scheduled sync  as run use the below WQL query to confirm that there is now only one active FEP 2010 definition update. SELECT * FROM SMS_SoftwareUpdate WHERE ArticleID=2461484 AND IsSuperseded=0 AND  IsEnabled=1 AND IsExpired=0 Once this is confirmed the tool can be run with the UpdateFilter from step one successfully.

 

Issue 2: SoftwareUpdateAutomation.exe tool will fail if you have customized updates (deployed with SCUP) in ConfigMgr Database whose ArticleID is not an int value.

Symptoms:

SoftwareUpdateAutomation.exe fail to add new definition updates to your deployment package.

Reviewing the %ProgramData%\SoftwareUpdateAutomation.log file shows the following exception:

 SmsAdminUISnapIn Information: 1 : Executing WQL: 'SELECT * FROM SMS_SoftwareUpdate WHERE ArticleID=2461484 AND IsSuperseded=0 AND IsEnabled=1'

……

SQLMessage = "[22018][245][Microsoft][ODBC SQL Server Driver][SQL Server]Conversion failed when converting the varchar value 'APBS10-17' to data type int."; 

Root Cause:

When you use SCUP to publish 3rd part update, you’ll be able to deploy an update with ArticleID is not int value. In the above example, the ArticleID is ‘APBS10-17’. While the WQL query assume that all the ArticleIDs are int value, so WMI throw the exception.

 Workarounds:

Use /UpdateFilter option in the command line. For example: SoftwareUpdateAutomation.exe /UpdateFilter "ArticleID='2461484' AND IsSuperseded=0 AND IsEnabled=1" /AssignmentName  <AssignmentName> /PackageName <DeploymentPkgName> /RefreshDP

 

Issue 3: SoftwareUpdateAutomation.exe tool will fail if the specified Assignment doesn’t contain any updates.

Symptoms:

SoftwareUpdateAutomation.exe fail to add new definition updates to your deployment package.

Reviewing the %ProgramData%\SoftwareUpdateAutomation.log file shows the following exception:

SmsAdminUISnapIn Information: 1 : Executing WQL: 'SELECT * FROM SMS_UpdatesAssignment WHERE AssignmentName='Microsoft Updates - 7/19/2011 5:48:41 AM''

……

SmsAdminUISnapIn Error: 1 : Unexpected exception: System.NullReferenceException: Object reference not set to an instance of an object.

   at Microsoft.Forefront.EndpointProtection.SoftwareUpdateAutomation.Utilities.Join(String separator, Int32[] array)

   at Microsoft.Forefront.EndpointProtection.SoftwareUpdateAutomation.SoftwareUpdater.Update(SoftwareUpdateAutomationArguments arguments)

   at Microsoft.Forefront.EndpointProtection.SoftwareUpdateAutomation.SoftwareUpdater.Main(String[] args)

Workaround:

Make sure you have at least one update in the Deployment.

 

Issue 4: SoftwareUpdateAutomation.exe doesn’t Refresh Distribution Point.

Symptoms:

SoftwareUpdateAutomation.exe does not refresh distribution points (DPs) by default. Even though the help output for the tool states that /RefreshDP is set by default, it is not.

 Workaround:

Use /RefreshDP option in the command line. For example: SoftwareUpdateAutomation.exe /AssignmentName <AssignmentName> /PackageName <DeploymentPkgName> /RefreshDP

 

Issue 5: SoftwareUpdateAutomation.exe will add revision number to the Deployment Package even there’re no new FEP 2010 definition updates are added.

Symptoms:

Each time the tool is run it creates a new hash and increments the (deployment) package version even when there’re no new updates added.

 Workaround:

Only run this tool when necessary.

 

Issue 6: You cannot find the SoftwareUpdateAutomation.log under %ProgramData% folder on Windows 2003 Server.

Symptoms:

You cannot find the SoftwareUpdateAutomaiton.log under %ProgramData% folder if it's run on a Windows 2003 Server. And there's no %ProgramData% environment virable.

Workaround:

Check the log under folder C:\Documents and Settings\All Users\Application Data.

 

Summary & Best Practice:

There are several issues with this tool. However if you use this tool properly, you will not meet them in most conditions. The best practice for using this tool:

1. Set proper SUP synchronization schedule. FEP 2010 definition update release 3 times per day. You shouldn’t set the schedule too long to make your managed clients always not “Up to date” (In FEP 2010,  “Up to date Definition Status Collection” only contains clients whose definitions are less than 24 hours old.). 24 hours should be a good value.

2. When you set the Task Schedule to run SoftwareUpdateAutomation.exe, use /UpdateFilter “ArticleID='2461484' AND IsSuperseded=0 AND IsEnabled=1 AND IsExpired=0" and /RefreshDP option to avoid issues 1, 2 & 4.

3. To avoid 1 & 5, When you set the Task Schedule to run SoftwareUpdateAutomation.exe, be sure to make it run every time a Full (scheduled) SUP synchronization is done. (1 hour after the SUP synchronization should be appropriate depends on how long a Full SUP synchronization will take in your production environment).

4. To avoid 3. Create a Deployment specific for FEP 2010 definition update deployment. Don’t manual delete any updates in the FEP Deployment.