In this series of SCEP deployment, we did the first part of this guide, we did look at the install of the System center endpoint protect role. In the second part, we looked at configuring Endpoint Protection SCCM Components in the third part we did deploy client setting and Antimalware policies. The time we reached here we have already got our clients managed SCCM SCEP role.
Now its time to maintain them by updating them with the latest definitions when they are released. In this blog, we will deep dive into various steps for
- Configure Software Update Point for SCEP
- Create Automatic Deployment Rule (ADR) and deploy updates
- Check update deployment status via logs on the client.
- Check out status in Monitoring Portal.
Configure Software Update Point for SCEP
In the Configuration Manager console, Select Administration, –> Sites –> Configure Site component –> Select Software Update point.
Check Definition Updates in Classifications Tab
In Products Tab, check System Center Endpoint Protection
WCM.Log file captures details of Classification and Product Selection so that on next scan respective updates can be downloaded
Let’s run SCCM Sync Manual and see the changes in wsyncmgr.log, we have got the updates sync now
Now you must have found changes in Console
Let’s create ADR
Right-click on Automatic Deployment Rules under Software Library > Software Updates and click Create Automatic Deployment Rule.
Choose the below setting
Template Name: SCEP and Windows Defender Antivirus Updates
Each time the rule runs and finds new Updates: Add to an existing Software Update Group ( This option allows to maintain definition updates under one SUG and one Deployment Package)
Under Deployment Setting, select Automatic deploy all software updates found by this rule, and approve any license agreements
Update Selection Criteria as highlighted below in red
Recurring schedule “Here is the main thing where the new definitions are going to be checked, downloaded and deployed on machines ”
Every time we need to update machines so that have latest antilamware defination. Better to run every 8 hours and not find an updated definition then not run for 2 days and miss a critical definition.
Choose the Schedule Deployment setting wisely.
We want to install this update independent of Maintenance Window and Suppress reboot and no notification to be triggered on user machines. So here are the settings.
Since its first time, let’s create the Deployment package SCEP Updates, make sure you enable binary differential replication so that when new updates are added to packages after 8 hours only required are distributed.
Choose download settings wisely.
Complete the wizard
Once ADR wizards complete, you will see the tasks mentioned in ADR are executing, these changes can be observed in ruleengine.log
Check update deployment status via logs on the client
On the next scan machine will try to evaluate deployed updates and install them, here is one snippet from one of the machine, log file name: wuahandler.log
Let’s see the difference after updating.
Also, you can check the status from the monitoring tab.
We have now setup Automate deployment rule which will download updates, distribute updates and install them. In production you may think of having multiple deployments one for workstation and another for servers.