First published on TechNet on Jul 18, 2016
Hi everyone, my name is Nicholas Jones, Premier Field Engineer with Microsoft, specializing in System Center Configuration Manager. For my first blog, I want to introduce you to updating System Center Endpoint Protection (SCEP) definition updates. Huge thanks to my colleague Jeramy Skidmore, Sr. Escalation Engineer, for helping me with this blog. If your company has deployed or is planning to deploy SCEP, you will certainly have to plan to deploy definition updates. In my observations, the most common solution that administrators use is to create an ADR (see below) and let it run on a schedule:
This will certainly get the updates deployed, but there is more to consider.
What happens if the CM Software Update Agent fails to install definitions? What happens if the end user forces an update by pressing the update button in the SCEP user interface? In these situations, we'll need to better understand the setting for definition update sources in the Antimalware Policy. If you're not familiar with this, navigate to Assets and Compliance, Endpoint Protection, Antimalware Policies. You could have quite a few Antimalware policies, but I'll be working with the default policy in my screenshots today.
At this point, those who are familiar with these settings may be ready to skip ahead. Please hang with me.
You've got a few options here, so let's discuss what they actually do.
When the SCEP client definitions become too far out of date, or if the end user clicks Update in the UI, the SCEP client looks for a FallBackOrder registry key in HKLM\Software\Policies\Microsoft\Microsoft Antimalware\Signature Updates . The SCEP client will check each update source in order until it locates a source that has available definitions. If none of the sources have definitions available, the SCEP client will return an error.
I do hope this post helps you better understand the flow of SCEP definition updates. Please post any comments or questions and I'll respond when I can.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.