Another hot request from Customers about FEP is to allow the initial definition update after FEP client install is served up via Configuration Manager instead of from the live MU.
To achieve this, first you should follow the article here to keep your SCCM site with the latest FEP definition update deployed. The next step is to ensure after FEP installation, the client will not try to get def update from live MU, but from the SUM and we need trigger some action to let the client do a update scan and update re-evaluation to pick up the definition update and install it. There’re several things we need to consider:
1. Find a way to disable the FEP fallback to WSUS and live MU after FEP client installation.
By default, right after FEP client is installed; it will try to get the latest definition update through live MU. In order to hold this process, we need to apply a FEP policy (which disable the Fall Back to WSUS and live MU) to the client right after installation success.
We can use the following FEP policy:
Option “Updates from UNC file shares” has to be checked. Because the UI doesn’t allow the fall back options to be empty;
How to create a file share for FEP definition is described here: http://technet.microsoft.com/en-us/library/gg398041.aspx. These null files are also beneficial in case deployment through the Update deployment fails for some reason.
Since the FEP deployment program will not apply policy after installation complete automatically, so the client need to explicitly run the apply FEP policy program afterwards.
When assign FEP policy to clients, no matter what policy you assign with the specific program, it will always choose from all the FEP policies that are assigned to it and apply the one with the highest precedence. So you need to careful about the policies: make sure only the expected policy is assigned to the client which you plan to install the FEP client and the proper policies are assigned to the same client after it installed FEP client successfully and be added to the FEP Installed collection.
A feasible way to do this is edit the default policy to remove the fall back options and assign it to All System while assign other policies to desired collections. (This is the approach the example below uses)
2. After the FEP Client Installation succeed and the default policy applies. Tiger the client to find and install the latest FEP definition update through SUM.
In our testing, we found the following caveats:
1) You need wait for some time to trigger the Update scan cycle after FEP client is installed. Otherwise there might be time issue that the definition update will not show applicable. In our testing, we found 5 minutes works fine.
2) Update evaluation will be triggered automatically when the policy is changed, or the client is moved to a new collection which has different update deployment assignment. If update evaluation is trigger in thisway, then it will trigger an update scan cycle with flag force re-scan.
3) If you trigger update evaluation through API or by click the initial update evaluation action through the client applet, then it will trigger an update scan cycle with no force re-scan flag and may not find the def update applicable.
The below log screen shot shows the different between 2) & 3)
If you assign the definition update to all system, then you should write a script to call Update Scan Cycle and then an Update Evaluation Cycle to find the update and install it. (This is the approach the example below uses)
If you assign the definition update to FEP Installed collection, then after FEP client is installed and when the machine is added to the FEP Installed collection (it may take some time), then it can have the policy triggered update evaluation and will find the update and install it.
Step by step Example on how to do this with Task Sequence:
Command Line: InitiateSoftwareUpdatesEvaluationCycle.cmd
Program can run: whether or not a user is logged on.
Check “Suppress program notifications”.
Check “Allow this program to be installed from the Install Software task sequence without being advertised”.
Step 1 – Install FEP Client: Package:Microsoft Corporation FEP – Deployment; Program: Install
Step 2 – Apply Policy: Package: MicrosoftCorporation FEP – Policies; Program: Default Desktop Policy
Step 3 – Sleep for 5 minutes: Run CommandLine: cscript.exe sleep.vbs Package as you created in step 4.
Step 4 – Initiate Update Evaluation Cycle:Package and Program as you created in step 4.
Sample script to initial Update Deployment Evaluation Cycle:
IF /I "%PROCESSOR_ARCHITECTURE%" EQU "x86" (
CALL %SystemRoot%\System32\cscript.exe %vbsfile%
) ELSE (
CALL %SystemRoot%\SysWow64\cscript.exe %vbsfile%
EXIT /B %errorlevel%
' Set the requiredvariables.
actionNameToRun1 = "Updates Source Scan Cycle"
actionNameToRun = "Software Updates Assignments Evaluation Cycle"
' Create a CPAppletMgrinstance.
Set oCPAppletMgr = CreateObject("CPApplet.CPAppletMgr")
' Get the available ClientActions object.
Set oClientActions = oCPAppletMgr.GetClientActions()
' Loop through the available client actions. Run the matching client action when it is found.
For Each oClientAction In oClientActions
If oClientAction.Name = actionNameToRun1 Then oClientAction.PerformAction wscript.echo "Ran: " & oClientAction.Name wscript.sleep 1000*60*3 'sleep 3 minutes after initiating the scan for updates to allow the client finish scanning.
End If Next
For Each oClientAction In oClientActions
If oClientAction.Name = actionNameToRun Then oClientAction.PerformAction wscript.echo "Ran: " & oClientAction.Name End If