Configure definition updates for Endpoint Protection


Author Nawaz and Mamata


In this series of  SCEP deployment, we did the first part of this guide, we did look at the install of the System center endpoint protect role.  In the second part, we looked at configuring Endpoint Protection SCCM Components in the third part we did deploy client setting and Antimalware policies. The time we reached here we have already got our clients managed SCCM SCEP role.

Now its time to maintain them by updating them with the latest definitions when they are released. In this blog, we will deep dive into various steps for

  • Configure Software Update Point for SCEP
  • Create Automatic Deployment Rule (ADR) and deploy updates
  • Check update deployment status via logs on the client.
  • Check out status in Monitoring Portal.

Lets Start.

Configure Software Update Point for SCEP

In the Configuration Manager console, Select Administration, –> Sites –> Configure Site component –> Select Software Update point.


Check Definition Updates in Classifications Tab


In Products Tab, check System Center Endpoint Protection


WCM.Log file captures details of Classification and Product Selection so that on next scan respective updates can be downloaded


Let’s run SCCM Sync Manual and see the changes in wsyncmgr.log, we have got the updates sync now


Now you must have found changes in Console


Let’s create ADR

Right-click on Automatic Deployment Rules under Software Library > Software Updates and click Create Automatic Deployment Rule.

Choose the below setting

Template Name: SCEP and Windows Defender Antivirus Updates

Each time the rule runs and finds new Updates: Add to an existing Software Update Group ( This option allows to maintain definition updates under one SUG and one Deployment Package)


Under Deployment Setting, select Automatic deploy all software updates found by this rule, and approve any license agreements


Update Selection Criteria as highlighted below in red


Recurring schedule “Here is the main thing where the new definitions are going to be checked, downloaded and deployed on machines

Every time we need to update machines so that have latest antilamware defination. Better to run every 8 hours and not find an updated definition then not run for 2 days and miss a critical definition.


Choose the Schedule Deployment setting wisely.


We want to install this update independent of Maintenance Window and Suppress reboot and no notification to be triggered on user machines. So here are the settings.


Since its first time, let’s create the Deployment package SCEP Updates, make sure you enable binary differential replication so that when new updates are added to packages after 8 hours only required are distributed.


Distribute Content


Choose download settings wisely.


Complete the wizard


Once ADR wizards complete, you will see the tasks mentioned in ADR are executing, these changes can be observed in ruleengine.log


You can see SUG with deployment created and scheduled.

Check update deployment status via logs on the client

On the next scan machine will try to evaluate deployed updates and install them, here is one snippet from one of the machine, log file name: wuahandler.log

Let’s see the difference after updating.

Before :

After :

Also, you can check the status from the monitoring tab.

We have now setup Automate deployment rule which will download updates, distribute updates and install them. In production you may think of having multiple deployments one for workstation and another for servers.

Happy Sharing

1 thought on “Configure definition updates for Endpoint Protection”

Leave a Comment

Your email address will not be published. Required fields are marked *