Configure definition updates for Endpoint Protection

 513 total views,  3 views today

Author Nawaz and Mamata

Greetings,

In this series of  SCEP deployment, we did the first part of this guide, we did look at the install of the System center endpoint protect role.  In the second part, we looked at configuring Endpoint Protection SCCM Components in the third part we did deploy client setting and Antimalware policies. The time we reached here we have already got our clients managed SCCM SCEP role.

Now its time to maintain them by updating them with the latest definitions when they are released. In this blog, we will deep dive into various steps for

  • Configure Software Update Point for SCEP
  • Create Automatic Deployment Rule (ADR) and deploy updates
  • Check update deployment status via logs on the client.
  • Check out status in Monitoring Portal.

Lets Start.

Configure Software Update Point for SCEP

In the Configuration Manager console, Select Administration, –> Sites –> Configure Site component –> Select Software Update point.

 

Check Definition Updates in Classifications Tab

 

In Products Tab, check System Center Endpoint Protection

 

WCM.Log file captures details of Classification and Product Selection so that on next scan respective updates can be downloaded

 

Let’s run SCCM Sync Manual and see the changes in wsyncmgr.log, we have got the updates sync now

 

Now you must have found changes in Console

 

Let’s create ADR

Right-click on Automatic Deployment Rules under Software Library > Software Updates and click Create Automatic Deployment Rule.

Choose the below setting

Template Name: SCEP and Windows Defender Antivirus Updates

Each time the rule runs and finds new Updates: Add to an existing Software Update Group ( This option allows to maintain definition updates under one SUG and one Deployment Package)

 

Under Deployment Setting, select Automatic deploy all software updates found by this rule, and approve any license agreements

 

Update Selection Criteria as highlighted below in red

 

Recurring schedule “Here is the main thing where the new definitions are going to be checked, downloaded and deployed on machines

Every time we need to update machines so that have latest antilamware defination. Better to run every 8 hours and not find an updated definition then not run for 2 days and miss a critical definition.

 

Choose the Schedule Deployment setting wisely.

 

We want to install this update independent of Maintenance Window and Suppress reboot and no notification to be triggered on user machines. So here are the settings.

 

Since its first time, let’s create the Deployment package SCEP Updates, make sure you enable binary differential replication so that when new updates are added to packages after 8 hours only required are distributed.

 

Distribute Content

 

Choose download settings wisely.

 

Complete the wizard

 

Once ADR wizards complete, you will see the tasks mentioned in ADR are executing, these changes can be observed in ruleengine.log

 

You can see SUG with deployment created and scheduled.

Check update deployment status via logs on the client

On the next scan machine will try to evaluate deployed updates and install them, here is one snippet from one of the machine, log file name: wuahandler.log

Let’s see the difference after updating.

Before :

After :

Also, you can check the status from the monitoring tab.

We have now setup Automate deployment rule which will download updates, distribute updates and install them. In production you may think of having multiple deployments one for workstation and another for servers.

Happy Sharing

1 thought on “Configure definition updates for Endpoint Protection”

Leave a Comment

Your email address will not be published. Required fields are marked *