How to fully automate installation of Microsoft Forefront Security for SCCM with WSUS update in powershell

I made a script that would automate the installation of Microsoft Forefront Security and add the computer name to the AD Group for Forefront and then update the WSUS server with the computer name and assign it to the right groups. Now there are ways that you can automatically assign client to the right WSUS server through WSUS itself and then this installation script might come in handy.

Files placed on the installation package:

  • install.ps1
  • Forefront Client Security installation package
  • password.txt

Files placed on the WSUS server directory C:ScriptWsus:

  • wsus.ps1
  • addtowsus.ps1

For this to work we need to execute command on remote servers such as the DC and the WSUS server and therefore PSRemoting must be enabled on these servers.

PSRemoting does the following:

  • Starts the WinRM service.
  • Sets the startup type on the WinRM service to Automatic.
  • Creates a listener to accept requests on any IP address.
  • Enables a firewall exception for WS-Management communications.

Logg on to the DC and the WSUS server and execute the following command with an elevated powershell session to set it up, this command will fix the default configuration so that you can execute remote commands.

When that is done you can make a test run to make sure that you can access the remote server through pssession

And since its a client installation package that will be sent out to clients computers we have no way of knowing the exact directory of with the script will run in, so we need to figure that out in the script. (I always start my scripts with this piece of code)

Create a file named install.ps1 and enter the information below:

Now we have the running directory under $scriptFolder and that will be useful later on but now its time to get the computername that shall be added to the AD group and WSUS server

Now I am sure there is a fancy way of getting the FQDN through code but this is just as effective. We will use the wsuscomputername when adding the computer to the AD group and wsusfqdncomputername when we are adding it to the WSUS server.

In SCCM deployment SCCM 2007 there is no installation account, there is just an account that triggers LocalSystem to install the package on the machine if Administrator is chosen under installation so there will be no domain user running this installation script so we need to create a password file for the domain user that we will use to connect to the DC and WSUS server. This makes us use the only option left and that is to encrypt the password file with a key instead of using encryption for a specific domain user which would be more secure

Create a new file in Powershell ISE as we will only do this once and save the password file for later use and run the following command and enter the password for that domain user that you intend to use later on when updating AD and WSUS

You now have a encrypted file with the password for your domain user, place that file in the same directory as your main script and Microsoft Forefront Client Security installation files.

Now its time to make a connection to AD and update the Security group that enables MS Forefront Client Security, add the domain and user that you used before to generate a password and enter the DC after computerName

Now its time to install the Forefront Client Security client and register the regfile with the configuration settings

Now we would like to authorize Forefront Client Security so that our computer name would show up in the WSUS server BUT this is an issue during the OS deployment as the Update service has not been started yet. (If someone knows a fix for this do tell me). As this package might be used during the OS deployment as well as a installation from a client running the advertised programs console we will add two commands to cover both scenarios.

Now we need to fix the WSUS groups if this package is installed during the OS deployment phase as if the client isn’t authorized in WSUS it wont show up and we cant change the group parameter

Create a file named wsus.ps1 and enter the information below:

Now we will add the information to handle a client installation

Create a file named addtowsus.ps1 and enter the information below:

This is to handle OS deploy that dont have the option to authorize the client so the computer name shows up in WSUS

Now all you have to do it schedule the addtowsus.ps1 on the WSUS server to run once a day and you will always have an up to date WSUS setup.

PS: You can make the installation above smaller if you like but I showed you the options

More to come…

Leave a Reply