We have an issue were we automatically approve definition updates to Forefront Endpoint Protection 2010 to our servers, this is working fine for all server except the domain controllers. Hopefully somebody here has had the same problem or can point me in the right direction for a solution.
Situation:
We have set up multiple servers with an SCCM client and Forefront Endpoint Protection 2010 but because software updates are working as we want it to we let the servers get their software updates through a dedicated WSUS 3 server which is not part of the
SCCM 207 R3 environment.
The deployment of the Forefront Endpoint 2010 client through SCCM is working fine, all servers have installed the Forefront Endpoint client succesfully.
We have several policies and collections in SCCM defining the different server roles (Domain Controllers, Exchange Servers, SQL Servers, etc).
All Forefront Endpoint Protection policies are set the same, except for the exclusions which differ per server role.
We have GPO's in place for setting the WSUS server for the servers, in the GPO's we set the updates to download but notify for install, GPO's settings are exactly the same for Domain Controllers, Members Servers, etc. The only difference is the Target Group setting.
We have several groups in WSUS 3 defining the different server roles (Domain Controllers, Member Servers, etc).
We have one Auto Approve rule which auto approves definition updates to Forefront Endpoint Protection to all groups.
The auto approve rule is working for the Member Servers, definition updates are installing fine but the rule is NOT working for the domain controllers, on the domain controllers the definition update is waiting for a manual install in the windows update screen and will not auto install.