How to Configure Definition Updates for Endpoint Protection in Configuration Manager

 

Updated: September 14, 2015

Applies To: System Center 2012 R2 Endpoint Protection, System Center 2012 Configuration Manager, System Center 2012 Configuration Manager SP2, System Center 2012 R2 Configuration Manager, System Center 2012 Endpoint Protection SP1, System Center 2012 Endpoint Protection, System Center 2012 R2 Configuration Manager SP1

With Endpoint Protection in Microsoft System Center 2012 Configuration Manager, you can use any of several available methods to keep antimalware definitions up to date on client computers in your hierarchy. The information in this topic can help you to select and configure these methods.

To update antimalware definitions, you can use one or more of the following methods:

  • Updates distributed from Configuration Manager – This method uses Configuration Manager software updates to deliver definition and engine updates to computers in your hierarchy.

  • Updates distributed from Windows Server Update Services (WSUS) – This method uses your WSUS infrastructure to deliver definition and engine updates to computers.

  • Updates distributed from Microsoft Update – This method allows computers to connect directly to Microsoft Update in order to download definition and engine updates. This method can be useful for computers that are not often connected to the business network.

  • Updates distributed from Microsoft Malware Protection Center – This method will download definition updates from the Microsoft Malware Protection Center.

  • Updates from UNC file shares – With this method, you can save the latest definition and engine updates to a share on the network. Clients can then access the network to install the updates.

You can configure multiple definition update sources and control the order in which they are assessed and applied. This is done in the Configure Definition Update Sources dialog box when you create an antimalware policy.

Important

If you manage Windows 10 Technical Preview computers, then you must configure Endpoint Protection to update malware definitions for Windows Defender.

How to Configure Definition Update Sources

Use the following procedure to configure the definition update sources to use for each antimalware policy.

To configure definition update sources

  1. In the Configuration Manager console, click Assets and Compliance.

  2. In the Assets and Compliance workspace, expand Endpoint Protection, and then click Antimalware Policies.

  3. Open the properties page of the Default Antimalware Policy or create a new antimalware policy. For more information about how to create antimalware policies, see How to Create and Deploy Antimalware Policies for Endpoint Protection in Configuration Manager.

  4. In the Definition updates section of the antimalware properties dialog box, click Set Source.

  5. In the Configure Definition Update Sources dialog box, select the sources to use for definition updates. You can click Up or Down to modify the order in which these sources are used.

  6. Click OK to close the Configure Definition Update Sources dialog box.

Using Configuration Manager Software Updates to Deliver Definition Updates

You can configure Configuration Manager software updates to deliver definition updates to client computers. This is done by configuring automatic deployment rules. Before you begin to create automatic deployment rules, make sure that you have configured Configuration Manager software updates. For more information, see Software Updates in Configuration Manager.

Note

This procedure is only for the items that must be specifically configured for Endpoint Protection. For more information about the Create Automatic Deployment Rule Wizard, see Operations and Maintenance for Software Updates in Configuration Manager.

To configure an automatic deployment rule to deliver definition updates

  1. In the Configuration Manager console, click Software Library.

  2. In the Software Library workspace, expand Software Updates, and then click Automatic Deployment Rules.

  3. On the Home tab, in the Create group, click Create Automatic Deployment Rule.

  4. On the General page of the Create Automatic Deployment Rule Wizard, specify the following information:

    - **Name**: Enter a unique name for the automatic deployment rule.
    
    - **Collection**: Select the collection of client computers to which you want to deploy definition updates.
    
      <div class="alert">
    
    
      > [!NOTE]
      > <P>You cannot deploy definition updates to a collection of users.</P>
    
    
      </div>
    
  5. Click Add to an existing Software Update Group.

  6. Make sure that the Enable the deployment after this rule is run check box is selected, and then click Next.

  7. On the Deployment Settings page of the wizard, in the Detail level list, select Minimal, and then click Next.

    Note

    From the Detail level list, select Minimal (Configuration Manager with no Service Pack) or Only error messages (Configuration Manager SP1). This will reduce the number of state messages returned by definition deployment. This configuration helps reduce the CPU processing usage on the Configuration Manager servers.

  8. In the Property filters list, select the Update Classification check box.

  9. In the Search criteria list, click <items to find>. Then, in the Search Criteria dialog box, in the Specify the value to search for list, select Definition Updates.

  10. Click OK to close the Search Criteria dialog box.

  11. In the Property filters list, select the Product check box.

  12. In the Search criteria list, click <items to find>. Then, in the Search Criteria dialog box, in the Specify the value to search for list, select Forefront Endpoint Protection 2010 for Windows 8.1 and earlier or Windows Defender for Windows 10 and later.

  13. Click OK to close the Search Criteria dialog box, and then click Next.

  14. In the Property filters list, select the Superseded check box.

  15. In the Search criteria list, click <items to find>. Then, in the Search Criteria dialog box, in the Specify the value to search for list, select No.

  16. Click OK to close the Search Criteria dialog box, and then click Next.

  17. On the Evaluation Schedule page of the wizard, select Enable rule to run on a schedule, and then configure the schedule by which to download definition updates. At a minimum, set the rule to run two hours after each software update point synchronization. Click Next.

    Important

    For performance reasons, in Configuration Manager with no Service Pack, do not schedule automatic deployment rules to deliver definition updates more than once each day. In Configuration Manager SP1, do not schedule automatic deployment rules to deliver definition updates more than three times a day.

  18. On the Deployment Schedule page of the wizard, configure the following settings:

    • Time based on: Select UTC if you want all clients in the hierarchy to install the latest definitions at the same time. The actual installation time will vary within a two-hour window. This setting is a recommended best practice.

    • Software available time: Specify the available time for the deployment that is created by this rule. The specified time must be at least one hour after the automatic deployment rule runs. This helps to ensure that the content has sufficient time to replicate to the distribution points in your hierarchy. Some definition updates might also include antimalware engine updates, which might take longer to reach distribution points.

    • Installation deadline: Select As soon as possible.

      Note

      Software update deadlines are varied over a two-hour period to prevent all clients from requesting an update at the same time.

  19. Click Next.

  20. On the User Experience page of the wizard, in the User notifications list, select Hide in Software Center and all notifications. This ensures that the definition updates install silently. Click Next.

  21. On the Alerts page of the wizard, you do not have to configure any alerts. Endpoint Protection in Configuration Manager generates any alerts that might be required. Click Next.

  22. On the Download Settings page of the wizard, select the necessary software updates download behavior, and then click Next.

  23. On the Deployment Package page of the wizard, select an existing deployment package or create a new deployment package to contain the software update files associated with the rule.

    Note

    Consider placing definition updates in a package that does not contain other software updates. This strategy keeps the size of the definition update package smaller, which allows it to replicate to distribution points more quickly.

  24. On the Distribution Points page of the wizard, select one or more distribution points to which the content for this package will be copied, and then click Next.

  25. On the Download Location page of the wizard, select Download software updates from the Internet, and then click Next.

  26. On the Language Selection page of the wizard, select each language version of the updates to be downloaded, and then click Next.

  27. Complete the Create Automatic Deployment Rule Wizard.

  28. Verify that the new rule is displayed in the Automatic Deployment Rules node of the Configuration Manager console.

Using Windows Server Update Services (WSUS) to Deliver Definitions

If you use WSUS to keep your antimalware definitions up to date, you can configure it to auto-approve definition updates. Although using Configuration Manager software updates is the recommended method to keep definitions up to date, you can also configure WSUS as a method to allow users to manually initiate definition updated. Use the following procedures to configure WSUS as a definition update source.

Configuring Update Synchronization

To configure Configuration Manager software updates to synchronize Endpoint Protection definition updates, use the following procedure.

To synchronize Endpoint Protection definition updates in Configuration Manager

  1. In the Configuration Manager console, click Administration.

  2. In the Administration workspace, expand Site Configuration, and then click Sites.

  3. Select the site that contains your software update point. In the Settings group, click Configure Site Components, and then click Software Update Point.

  4. On the Classifications tab of the Software Update Point Component Properties dialog box, select the Definition Updates check box.

  5. Specify the Products updated with WSUS:

    - For Windows 8.1 and earlier, on the **Products** tab of the **Software Update Point Component Properties** dialog box, select the **Forefront Endpoint Protection 2010** check box.
    
    - For Windows 10 and later, on the **Products** tab of the **Software Update Point Component Properties** dialog box, select the **Windows Defender** and **Windows Technical Preview 2** check boxes.
    
  6. Click OK to close the Software Update Point Component Properties dialog box.

Use the following procedure to configure Endpoint Protection updates when your WSUS server is not integrated into your Configuration Manager environment.

To synchronize Endpoint Protection definition updates in standalone WSUS

  1. In the WSUS administration console, expand Computers, click Options, and then click Products and Classifications.

  2. Specify the Products updated with WSUS:

    - For Windows 8.1 and earlier, on the **Products** tab of the **Software Update Point Component Properties** dialog box, select the **Forefront Endpoint Protection 2010** check box.
    
    - For Windows 10 and later, on the **Products** tab of the **Software Update Point Component Properties** dialog box, select the **Windows Defender** and **Windows Technical Preview 2** check boxes.
    
  3. On the Classifications tab of the Products and Classifications dialog box, select the Definition Updates and Updates check boxes.

Approving Definition Updates

Endpoint Protection definition updates must be approved and downloaded to the WSUS server before they are offered to clients that request the list of available updates. Clients connect to the WSUS server to check for applicable updates and then request the latest approved definition updates.

To approve definitions and updates in WSUS

  1. In the WSUS administration console, click Updates, and then click All Updates or the classification of updates that you want to approve.

  2. In the list of updates, right-click the update or updates you want to approve for installation, and then click Approve.

  3. In the Approve Updates dialog box, select the computer group for which you want to approve the updates, and then click Approved for Install.

In addition to manual approval, you can also set an automatic approval rule for definition updates and Endpoint Protection updates. This will configure WSUS to automatically approve Endpoint Protection definition updates downloaded by WSUS.

To configure an automatic approval rule

  1. In the WSUS administration console, click Options, and then click Automatic Approvals.

  2. On the Update Rules tab, click New Rule.

  3. In the Add Rule dialog box, under Step 1: Select properties, select the When an update is in a specific classification check box.

  4. Under Step 2: Edit the properties, click any classification.

  5. Clear all check boxes except Definition Updates, and then click OK.

  6. In the Add Rule dialog box, under Step 1: Select properties, select the When an update is in a specific product check box.

  7. Under Step 2: Edit the properties, click any product.

  8. Clear all check boxes except Forefront Endpoint Protection for Windows 8.1 and earlier or Windows Defender for Windows 10 and later, and then click OK.

  9. Under Step 3: Specify a name, enter a name for the rule, and then click OK.

  10. In the Automatic Approvals dialog box, select the check box for the newly created rule and then click Run rule.

Note

To maximize performance on your WSUS server and client computers, decline old definition updates. To accomplish this task, you can configure automatic approval for revisions and automatic declining of expired updates. For more information, see Microsoft Knowledge Base article 938947.

Using Microsoft Update to Download Definitions

When you select to download definition updates from Microsoft Update, clients will check the Microsoft Update site at the interval defined in the Definition updates section of the antimalware policy dialog box.

This method can be useful when the client does not have connectivity to the Configuration Manager site or when you want users to be able to initiate definition updates.

Important

Clients must have access to Microsoft Update on the Internet to be able to use this method to download definition updates.

Using the Microsoft Malware Protection Center to Download Definitions

You can configure clients to download definition updates from the Microsoft Malware Protection Center. This option is used by Endpoint Protection clients to download definition updates if they have not been able to download updates from another source. This update method can be useful if there is a problem with your Configuration Manager infrastructure that prevents the delivery of updates.

Important

Clients must have access to Microsoft Update on the Internet to be able use this method to download definition updates.

Downloading Definitions from a Share on the Network

You can manually download the latest definition updates from Microsoft and then configure clients to download these definitions from a shared folder on the network. Users can also initiate definition updates when you use this update source.

Note

Clients must have read access to the shared folder to be able to download definition updates.

For more information about how to download the definition and engine updates to store on the file share, see Install the latest Microsoft Forefront Security definition updates.

To configure definition downloads from a file share

  1. In the Configuration Manager console, click Assets and Compliance.

  2. In the Assets and Compliance workspace, expand Endpoint Protection, and then click Antimalware Policies.

  3. Open the properties page of the Default Antimalware Policy or create a new antimalware policy. For more information about how to create antimalware policies, see How to Create and Deploy Antimalware Policies for Endpoint Protection in Configuration Manager.

  4. In the Definition updates section of the antimalware properties dialog box, click Set Source.

  5. In the Configure Definition Update Sources dialog box, select Updates from UNC file shares.

  6. Click OK to close the Configure Definition Update Sources dialog box.

  7. Click Set Paths. Then, in the Configure Definition Update UNC Paths dialog box, add one or more UNC paths to the location of the definition updates files on a network share.

  8. Click OK to close the Configure Definition Update UNC Paths dialog box.