Export (0) Print
Expand All
2 out of 6 rated this helpful - Rate this topic

How to Configure Definition Updates for Endpoint Protection in Configuration Manager

Updated: January 1, 2013

Applies To: System Center 2012 Configuration Manager, System Center 2012 Endpoint Protection, System Center 2012 Endpoint Protection SP1, System Center 2012 R2 Configuration Manager, System Center 2012 R2 Endpoint Protection

With Endpoint Protection in Microsoft System Center 2012 Configuration Manager, you can use any of several available methods to keep antimalware definitions up to date on client computers in your hierarchy. The information in this topic can help you to select and configure these methods.

To update antimalware definitions, you can use one or more of the following methods:

  • Updates distributed from Configuration Manager – This method uses Configuration Manager software updates to deliver definition and engine updates to computers in your hierarchy.

  • Updates distributed from Windows Server Update Services (WSUS) – This method uses your WSUS infrastructure to deliver definition and engine updates to computers.

  • Updates distributed from Microsoft Update – This method allows computers to connect directly to Microsoft Update in order to download definition and engine updates. This method can be useful for computers that are not often connected to the business network.

  • Updates distributed from Microsoft Malware Protection Center – This method will download definition updates from the Microsoft Malware Protection Center.

  • Updates from UNC file shares – With this method, you can save the latest definition and engine updates to a share on the network. Clients can then access the network to install the updates.

You can configure multiple definition update sources and control the order in which they are assessed and applied. This is done in the Configure Definition Update Sources dialog box when you create an antimalware policy.

Use the following procedure to configure the definition update sources to use for each antimalware policy.

  1. In the Configuration Manager console, click Assets and Compliance.

  2. In the Assets and Compliance workspace, expand Endpoint Protection, and then click Antimalware Policies.

  3. Open the properties page of the Default Antimalware Policy or create a new antimalware policy. For more information about how to create antimalware policies, see How to Create and Deploy Antimalware Policies for Endpoint Protection in Configuration Manager.

  4. In the Definition updates section of the antimalware properties dialog box, click Set Source.

  5. In the Configure Definition Update Sources dialog box, select the sources to use for definition updates. You can click Up or Down to modify the order in which these sources are used.

  6. Click OK to close the Configure Definition Update Sources dialog box.

You can configure Configuration Manager software updates to deliver definition updates to client computers. This is done by configuring automatic deployment rules. Before you begin to create automatic deployment rules, make sure that you have configured Configuration Manager software updates. For more information, see Software Updates in Configuration Manager.

noteNote
This procedure is only for the items that must be specifically configured for Endpoint Protection. For more information about the Create Automatic Deployment Rule Wizard, see Operations and Maintenance for Software Updates in Configuration Manager.

  1. In the Configuration Manager console, click Software Library.

  2. In the Software Library workspace, expand Software Updates, and then click Automatic Deployment Rules.

  3. On the Home tab, in the Create group, click Create Automatic Deployment Rule.

  4. On the General page of the Create Automatic Deployment Rule Wizard, specify the following information:

    • Name: Enter a unique name for the automatic deployment rule.

    • Collection: Select the collection of client computers to which you want to deploy definition updates.

      noteNote
      You cannot deploy definition updates to a collection of users.

  5. Click Add to an existing Software Update Group.

  6. Make sure that the Enable the deployment after this rule is run check box is selected, and then click Next.

  7. On the Deployment Settings page of the wizard, in the Detail level list, select Minimal, and then click Next.

    noteNote
    From the Detail level list, select Minimal (Configuration Manager with no Service Pack) or Only error messages (Configuration Manager SP1). This will reduce the number of state messages returned by definition deployment. This configuration helps reduce the CPU processing usage on the Configuration Manager servers.

  8. In the Property filters list, select the Update Classification check box.

  9. In the Search criteria list, click <items to find>. Then, in the Search Criteria dialog box, in the Specify the value to search for list, select Definition Updates.

  10. Click OK to close the Search Criteria dialog box.

  11. In the Property filters list, select the Product check box.

  12. In the Search criteria list, click <items to find>. Then, in the Search Criteria dialog box, in the Specify the value to search for list, select Forefront Endpoint Protection 2010.

  13. Click OK to close the Search Criteria dialog box, and then click Next.

  14. In the Property filters list, select the Superseded check box.

  15. In the Search criteria list, click <items to find>. Then, in the Search Criteria dialog box, in the Specify the value to search for list, select No.

  16. Click OK to close the Search Criteria dialog box, and then click Next.

  17. On the Evaluation Schedule page of the wizard, select Enable rule to run on a schedule, and then configure the schedule by which to download definition updates. At a minimum, set the rule to run two hours after each software update point synchronization. Click Next.

    ImportantImportant
    For performance reasons, in Configuration Manager with no Service Pack, do not schedule automatic deployment rules to deliver definition updates more than once each day. In Configuration Manager SP1, do not schedule automatic deployment rules to deliver definition updates more than three times a day.

  18. On the Deployment Schedule page of the wizard, configure the following settings:

    • Time based on: Select UTC if you want all clients in the hierarchy to install the latest definitions at the same time. The actual installation time will vary within a two-hour window. This setting is a recommended best practice.

    • Software available time: Specify the available time for the deployment that is created by this rule. The specified time must be at least one hour after the automatic deployment rule runs. This helps to ensure that the content has sufficient time to replicate to the distribution points in your hierarchy. Some definition updates might also include antimalware engine updates, which might take longer to reach distribution points.

    • Installation deadline: Select As soon as possible.

      noteNote
      Software update deadlines are varied over a two-hour period to prevent all clients from requesting an update at the same time.

  19. Click Next.

  20. On the User Experience page of the wizard, in the User notifications list, select Hide in Software Center and all notifications. This ensures that the definition updates install silently. Click Next.

  21. On the Alerts page of the wizard, you do not have to configure any alerts. Endpoint Protection in Configuration Manager generates any alerts that might be required. Click Next.

  22. On the Download Settings page of the wizard, select the necessary software updates download behavior, and then click Next.

  23. On the Deployment Package page of the wizard, select an existing deployment package or create a new deployment package to contain the software update files associated with the rule.

    noteNote
    Consider placing definition updates in a package that does not contain other software updates. This strategy keeps the size of the definition update package smaller, which allows it to replicate to distribution points more quickly.

  24. On the Distribution Points page of the wizard, select one or more distribution points to which the content for this package will be copied, and then click Next.

  25. On the Download Location page of the wizard, select Download software updates from the Internet, and then click Next.

  26. On the Language Selection page of the wizard, select each language version of the updates to be downloaded, and then click Next.

  27. Complete the Create Automatic Deployment Rule Wizard.

  28. Verify that the new rule is displayed in the Automatic Deployment Rules node of the Configuration Manager console.

If you use WSUS to keep your antimalware definitions up to date, you can configure it to auto-approve definition updates. Although using Configuration Manager software updates is the recommended method to keep definitions up to date, you can also configure WSUS as a method to allow users to manually initiate definition updated. Use the following procedures to configure WSUS as a definition update source.

To configure Configuration Manager software updates to synchronize Endpoint Protection definition updates, use the following procedure.

  1. In the Configuration Manager console, click Administration.

  2. In the Administration workspace, expand Site Configuration, and then click Sites.

  3. Select the site that contains your software update point. In the Settings group, click Configure Site Components, and then click Software Update Point.

  4. On the Classifications tab of the Software Update Point Component Properties dialog box, select the Definition Updates check box.

  5. On the Products tab of the Software Update Point Component Properties dialog box, select the Forefront Endpoint Protection 2010 check box.

  6. Click OK to close the Software Update Point Component Properties dialog box.

Use the following procedure to configure Endpoint Protection updates when your WSUS server is not integrated into your Configuration Manager environment.

  1. In the WSUS administration console, expand Computers, click Options, and then click Products and Classifications.

  2. On the Products tab of the Products and Classifications dialog box, select the Forefront Endpoint Protection 2010 check box.

  3. On the Classifications tab of the Products and Classifications dialog box, select the Definition Updates and Updates check boxes.

Endpoint Protection definition updates must be approved and downloaded to the WSUS server before they are offered to clients that request the list of available updates. Clients connect to the WSUS server to check for applicable updates and then request the latest approved definition updates.

  1. In the WSUS administration console, click Updates, and then click All Updates or the classification of updates that you want to approve.

  2. In the list of updates, right-click the update or updates you want to approve for installation, and then click Approve.

  3. In the Approve Updates dialog box, select the computer group for which you want to approve the updates, and then click Approved for Install.

In addition to manual approval, you can also set an automatic approval rule for definition updates and Endpoint Protection updates. This will configure WSUS to automatically approve Endpoint Protection definition updates downloaded by WSUS.

  1. In the WSUS administration console, click Options, and then click Automatic Approvals.

  2. On the Update Rules tab, click New Rule.

  3. In the Add Rule dialog box, under Step 1: Select properties, select the When an update is in a specific classification check box.

  4. Under Step 2: Edit the properties, click any classification.

  5. Clear all check boxes except Definition Updates, and then click OK.

  6. In the Add Rule dialog box, under Step 1: Select properties, select the When an update is in a specific product check box.

  7. Under Step 2: Edit the properties, click any product.

  8. Clear all check boxes except Forefront Endpoint Protection, and then click OK.

  9. Under Step 3: Specify a name, enter a name for the rule, and then click OK.

  10. In the Automatic Approvals dialog box, select the check box for the newly created rule and then click Run rule.

noteNote
To maximize performance on your WSUS server and client computers, decline old definition updates. To accomplish this task, you can configure automatic approval for revisions and automatic declining of expired updates. For more information, see Microsoft Knowledge Base article 938947.

When you select to download definition updates from Microsoft Update, clients will check the Microsoft Update site at the interval defined in the Definition updates section of the antimalware policy dialog box.

This method can be useful when the client does not have connectivity to the Configuration Manager site or when you want users to be able to initiate definition updates.

ImportantImportant
Clients must have access to Microsoft Update on the Internet to be able to use this method to download definition updates.

You can configure clients to download definition updates from the Microsoft Malware Protection Center. This option is used by Endpoint Protection clients to download definition updates if they have not been able to download updates from another source. This update method can be useful if there is a problem with your Configuration Manager infrastructure that prevents the delivery of updates.

ImportantImportant
Clients must have access to Microsoft Update on the Internet to be able use this method to download definition updates.

You can manually download the latest definition updates from Microsoft and then configure clients to download these definitions from a shared folder on the network. Users can also initiate definition updates when you use this update source.

noteNote
Clients must have read access to the shared folder to be able to download definition updates.

For more information about how to download the definition and engine updates to store on the file share, see Install the latest Microsoft Forefront Security definition updates.

  1. In the Configuration Manager console, click Assets and Compliance.

  2. In the Assets and Compliance workspace, expand Endpoint Protection, and then click Antimalware Policies.

  3. Open the properties page of the Default Antimalware Policy or create a new antimalware policy. For more information about how to create antimalware policies, see How to Create and Deploy Antimalware Policies for Endpoint Protection in Configuration Manager.

  4. In the Definition updates section of the antimalware properties dialog box, click Set Source.

  5. In the Configure Definition Update Sources dialog box, select Updates from UNC file shares.

  6. Click OK to close the Configure Definition Update Sources dialog box.

  7. Click Set Paths. Then, in the Configure Definition Update UNC Paths dialog box, add one or more UNC paths to the location of the definition updates files on a network share.

  8. Click OK to close the Configure Definition Update UNC Paths dialog box.

-----
For additional resources, see Information and Support for Configuration Manager.

Tip: Use this query to find online documentation in the TechNet Library for System Center 2012 Configuration Manager. For instructions and examples, see Search the Configuration Manager Documentation Library.
-----
Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft. All rights reserved.