First published on CloudBlogs on Mar, 27 2014

Author: Minfang Lv , Software Development Engineer in Test, Configuration Manager Sustained Engineering

Updated 5/20/2014

Applies to: FEP 2010 SU1, SCEP 2012 SP1, SCEP 2012 R2

Starting April 8 th , Microsoft will release all anti-malware platform updates for Forefront Endpoint Protection (FEP) and System Center 2012 Endpoint Protection (SCEP) through Microsoft Update (MU). To deliver the latest anti-malware platform updates to enterprise customers in a timely fashion, these updates will be made available approximately three times per year. The platform update will be published as follows category: Critical Updates , product: Forefront Endpoint Protection 2010 . FEP/SCEP customers who are used to installing individual hotfixes to upgrade FEP/SCEP client computers with the latest platform updates now have a new option to apply important anti-malware platform updates more frequently.

The Configuration Manager team will still release standalone FEP/SCEP hotfixes for major anti-malware platform updates, or include these hotfixes in periodic cumulative updates.

When you deploy the anti-malware platform updates through MU (and the Configuration Manager Software Updates Management (SUM) feature) instead of hotfixes, MU leverages the Windows Update Agent to install the platform update instead of the Endpoint Protection Agent. So, you will lose inbox deployment status monitoring in the FEP/SCEP dashboard.

As a workaround, you can use the corresponding SUM compliance report to show the deployment status of the update:

Compliance 7 – Specific software update states <secondary> report in System Center Configuration Manager 2007;

Compliance 6 – Specific software update states <secondary> report in System Center 2012 Configuration Manager SP1/R2;

You may sometimes see the update deployment return error code 0x80070643. This error code could indicate that these computers are in a pending reboot state.

Anti-malware platform updates on MU will use special detection logic and applicability rules to make the anti-malware platform updates available only on computers with previous N-2 anti-malware platforms installed. For example, on April 8 th , anti-malware platform of version 4.5.x will be released on MU, and it will only be offered to computers where anti-malware platform version 4.3.x or 4.4.x is available. If a computer has FEP or SCEP client with version 4.1.x, it has to be upgraded to version 4.3.x first, then to the latest version (4.5.x). If a computer has FEP or SCEP client with version older than 4.1.x, because of the same N-2 rule, it has to be upgraded to 4.1.x first, then to 4.3.x, and then to the latest version (4.5.x). Required updates will be kept on MU to ensure that this upgrade process is available for computers running older versions of the Microsoft anti-malware platform.

Because of this, we recommend that you always install the Configuration Manager hotfix or cumulative updates that contain the latest anti-malware platform updates to re-set the baseline in Forefront Endpoint Protection 2010 Update Rollup 1 and Configuration Manager 2012 SP1/R2, even if you wish to use SUM as the primary deployment method for anti-malware platform updates. This is to ensure that any new Configuration Manager client installation will install the latest version of the anti-malware platform, or will reduce the number of upgrades required to get the client to the latest version of anti-malware platform update.

Note: If you use SUM and the FEP 2010 hotfix at the same time, you may see a computer placed in the "Out-Of-Date" collection or the "Deployment Pending" collection although it has already been upgraded to the latest update platform. In FEP 2010, the version of the anti-malware platform is determined by that of a specific component.  However the update package shipped on MU will not update that specific component, therefore you will get the incorrect version number of the anti-malware platform and the incorrect collection membership.  If you fall into this situation, you can only use the SUM compliance report mentioned above to check the deployment status of the platform update.

Update: The above issue has been addressed.  Please see http://support.microsoft.com/kb/2975384 for more details.

We recommend that you treat the anti-malware platform updates as you would other Configuration Manager updates, and follow your best practices for Configuration Manager update installation in your organization to pre-test it before deploying it to all client computers in your hierarchy.

-- Minfang Lv

Configuration Manager Resources

Documentation Library for System Center 2012 Configuration Manager

System Center 2012 Configuration Manager Forums

System Center 2012 Configuration Manager Survival Guide

System Center Configuration Manager Support

This posting is provided "AS IS" with no warranties and confers no rights.