Saturday, 31 August 2013

Config Mgr 2012 Endpoint Protection: Definition Updates

Back to Endpoint Protection menu

Back to ConfigMgr 2012 menu

We previously installed the SCEP 2012 client on the devices in our test collection. Now we must ensure that the definition files remain up-to-date on these clients. We do this by integration with the software updates component of ConfigMgr.

We have already configured the Software Update Point to deliver Windows and Office software updates to our endpoints. We will now extend this functionality.

Navigate to Administration > Site Configuration > Sites.

Select your Site and click "Configure Site Components" on the ribbon above. Choose Software Update Point.

Navigate to the Classifications tab.

Choose Definition Updates.

Navigate to the Products tab and choose Forefront Endpoint Protection 2010 (the catalog has not yet been updated to be called SCEP 2012). Click Apply and OK to complete the configuration.

Now manually synchronise with the Microsoft catalog to download the latest definition files. Navigate to Software Library > Software Updates > All Software Updates.

Right click and choose "Synchronise Software Updates". Monitor the download using wsyncmgr.log.

See FEP 2010 chosen and sync starting.

See Definition updates being synchronised and process completing.

See Definition Updates now available in the console (filter by FEP 2012).

We will now create an Automatic Deployment Rule so that the definition updates can be downloaded and deployed automatically. We don't want to have to do this manually each week.

Navigate to Software Library > Software Updates > Automatic Deployment Rules

Right click and choose to "Create Automatic Deployment Rule"

The Create Automatic Deployment Rule Wizard starts. Enter a Name for the rule and then choose a collection (I have used my test collection). Leave the default "Add to an existing Software Update Group".
 Make sure that the "Enable the deployment after the rule is on" is checked. Click Next to continue.

Choose defaults and click Next to continue.

Add Property Filters - Product and Update Classification. Choose FEP 2010 and "Definition Updates or Updates". Click Next to continue.

Choose to run the rule after any SUP sync. Click Next to continue.

Choose "As soon as possible" as the deadline. We want the definition updates to be applied immediately. Click Next to continue.

Click Next.

Click Next.

Click Next.

Choose to create a new deployment package. The source folder must exist and be empty. Click Next to continue.

Choose DP and click Next.

Click Next.

Choose your language and click Next.

Review the summary and click Next to create the ADR.

The ADR has been created. Click Close to exit the wizard.

Note the User Experience configuration for the ADR - I want to see what's going on in my test.

The ADR is configured to run automatically after each scheduled synchronisation but let's run it now for the sake of testing. Right click the rule and choose "Run Now".

Click OK to the pop-up message and the rule is now running.

Monitor progress using the ruleengine.log file. See the rule starting.

See deployment package folder being populated.

Content being downloaded.

Software Update Group does not exist so the rule creates it.

See the Software Update Group.

and the contents of the SUG.

Navigate to Monitoring > Deployments

Look at the progress of the ADR.

Our test client has received the deployment.

Verify the "before and after" definition files on the client.


  1. Hi and thankyou for your guides

    I have installed config manager 2012 r2 as a primary site and successfully install the client and endpoint protectiion to client machines. I have created the sup and update endpoint def files ok. I have created the adr for deploying def updates.

    The issue i am having is with Endpoint clients receiving updates from both configuration manager and wsus. Updating from Windows updates works fine.

    Here is the info from mpcmdrun.log

    MpCmdRun: Command Line: "c:\Program Files\Microsoft Security Client\MpCmdRun.exe" SignaturesUpdateService -ManagedUpdate
    Start Time: ‎Fri ‎Nov ‎08 ‎2013 14:35:34

    Start: Signatures Update Service
    Update Started
    Update failed with hr: 0x80070490
    Update completed with hr: 0x80070490
    End: Signatures Update Service
    MpCmdRun: End Time: ‎Fri ‎Nov ‎08 ‎2013 14:35:35

    Any help greatly appreciated


    1. If you are using ConfigMgr to update your clients then you should not be using WSUS as well. You should have a Group Policy in place that disables WSUS for these clients.

  2. HI Gerry and thanks for the response. Sorry in advance for my lack of knowledge i am new to sccm. I have set the wsus role as desciribed in your article and do not actually use the wsus console, i just have wsus checked as an update option for clients (which actually sounds like i dont need anyway)



  3. Hi Gerry,

    I am new to SCCM so pls help me. I have done everything as you have mentioned. Only issue or Question which i have is 1) If i have multiple collection (Department Wise) do i have to create multiple Automatic Deployment Rule for each collection. I dont want to use one Automatic Deployment Rule for All System Collection. Please suggest.

  4. The only reason you would different collections is if you were applying different anti-malware policies to each one. In this case, yes, you would need multiple ADRs.

  5. Hello Gerry.

    Thanks for the Amazing guide, but im having some issues with the configuration.

    After configuring the first step, and run the Sync Software Updates.
    I dont get any new records in the wsyncmgr.log

    To understand my Setup, i have a seperate WSUS and SCCM Server.
    I have removed the Forefront Selection af the WSUS, and followed your guide.

    Any help is highly appreciated!

    1. I dont get any new records in the wsyncmgr.log

      That would suggest that you have re-used an existing WSUS server. You shouldn't do that. You should install WSUS (local or remote, local is easier to manage) but not configure it. ConfigMgr will configure WSUS for you.

  6. Thanks for the info.

    Is the automatic endpoint deployment dependent on the "All Software Updates"?

    "Now manually synchronise with the Microsoft catalog to download the latest definition files. Navigate to Software Library > Software Updates > All Software Updates"

    Do I have to keep doing this to keep my Endpoint Updates current?

    1. No Christopher, this is just to force the first sync. It will happen automatically according to the Sync Schedule configured for your Software Update Point. I could wait until then but I'm impatient.

  7. Hello Gerry, your articles are always very helpful. I have been working on EP pilot and selected Config Mgr and Malware Protection center as the definition source in antimalware policy. We are not using WSUS and Windows update (Disabled by GP to prevent automatic patching). Please could you let me know if the laptops will get the updates automatically from Malware Protection Center or manually by clicking the Update button in SCEP client in case it is not connected to corporate LAN but connected to internet at home.

  8. Hi Gerry

    I have a problem with WSUS not working, and Antivirus is out of date for some machines.

  9. I also want to upgrade SCCM current branch from 1902 to version 2010