How can I deploy System Center 2012 Endpoint Protection Definition Updates from a UNC file share

[anyweb]

Introduction

One of the user definable sources for updates for Endpoint Protection definition updates is an UNC file share,
but how you populate that share can mean success or failure when it
comes to deploying definition updates from a UNC file share for System Center 2012 Endpoint Protection using System Center 2012 Configuration Manager SP1.

In addition to populating the share correctly, you also need to define your AntiMalware Policy UNC path source correctly otherwise the definition updates will never be found.

In this post I’ll explain how you can set this up and how to verify it’s working.

Step 1. Create a Share and populate with folders

First of all on your chosen server create a folder called SCEP_UNC_DEFS and share it to Domain Users and Domain Computers.

Beneath this folder create another folder called Updates with two sub folders for both architectures like so

Step 2. Populate the share with definition updates

Now that we’ve created our template folder structure we need to
populate it with the actual definition updates for the prospective
architecture.

For x64, download the following files and place them in the X64 folder.

• Antimalware full definitions (http://go.microsoft.com/fwlink/?LinkID=121721&clcid=0×409&arch=x64)
• Antimalware delta definitions (http://go.microsoft.com/fwlink/?LinkId=211054)
• Network-based exploit definitions (http://go.microsoft.com/fwlink/?LinkId=197094)

For x86, download the following files and place them in the X86 folder.

• Antimalware full definitions (http://go.microsoft.com/fwlink/?LinkID=121721&clcid=0×409&arch=x86)
• Antimalware delta definitions (http://go.microsoft.com/fwlink/?LinkId=211053)
• Network-based exploit definitions (http://go.microsoft.com/fwlink/?LinkId=197095)

Step 3. Create a new Antimalware Policy

In the Assets and Compliance workspace, expand Endpoint Protection, select Antimalware Policies, right click and choose Create AntiMalware Policy, give it a name like Custom SCEP UNC DEF policy and select Definition Updates from the available choices (you may of course add more sections but for the purpose of this post this is sufficient).

Click on Set Paths and enter the path to the Updates folder which is a sub directory of the SCEP_UNC_DEFS file share, click on Add when done.

eg: \\server\scep_unc_defs\updates

Next click on Set Source, make sure to select Updates from UNC Shares and use the UP button to bring this to the top choice (if you want it as the first option checked when more than one source is selected).

Step 4. Create a collection to target the Antimalware Policy

Right click on Devices Collections, and choose create device collection, give it a suitable name like Endpoint Protection UNC_DEFS

you can populate it however you want (queries or direct membership) and then move it to somewhere suitable if required.

Step 5. Change the Antimalware Policy priority

right click on your new antimalware policy and choose Increase Priority, make this the highest priorty you can as SP1 uses Client side merge of AntiMalware policies and we want this source for definition updates to take priority on any computers in this collection.

Step 6. Deploy the Antimalware Policy

Right click on the AntiMalware Policy and choose Deploy

point it to the collection we created above

Step 7. Verify the UNC file share is being used

Now everything is in place to deploy definition updates via an UNC file share, but we need to prove that don’t we. On a Windows client computer that you’ve added to our collection we created above, run the following Configuration Manager client action, Machine Policy Retrieval & Evaluation Cycle.

This

 

will ensure that our client has the latest Antimalware Policies targeted to it including the one we created above, to verify that our policy is indeed targeted to this computer please see this post,
you should see something similar to the following in the registry, depending on what Antimalware Policies are applied to this client however we are only interested in our Custom SCEP UNC Def policy and it is indeed listed below.

Do not proceed with the verification until your Windows client has our Custom SCEP_UNC_Def policy applied. Once done, open an Administrative command prompt and browse to the following folder C:\Program Files\Microsoft Security Client\ and execute the following command MpcmdRun.exe -SignatureUpdate as per below screenshot.

If all went well then you’ll see Signature Update Finished. Open the following log file for final verification C:\Users\Administrator\AppData\Local\Temp\MpCmdRun.Log and you should see search started (UNC Share) along with the following text, Update Completed Successfully. (hr: 0×00000000)

You can open the SCEP client, click on the updates tab and review the Definition Update versions for further verification.

And
there you have it, your SCEP client has updated it’s definition updates from your UNC file share as specified in your Custom Antimalware Policy, and you’ve proven the fact !.

Troubleshooting Tip:

If you fail to get this to work and see the following error instead,

Error: Signature Update failed with hr=80070002

then verify you are pointing at the correct UNC File share directory as listed in my guide above then try again.

Summary

System Center 2012 Configuration Manager SP1 is a powerful management solution and you can use custom antimalware policies to update Endpoint Protection via multiple or single sources, including using UNC file
shares, this ability gives great flexibility and control over how you want those definition updates deployed.

If you’d like to automate the download of those definition updates please review the following post.

until next time, from Seattle,

cheers

niall

[CeeDeeJay]

Thanks for this post it worked for me in my Lab first time after over two weeks of poking around trying to get clients to install the updates. Its quite a nightmare to troubleshoot.
So I ask myself why did my setup not work?
I have a few years in the SCCM arena. Have my CM2012 sp1 Lab up and running with most of the features functional but endpoint protection unc update had me beaten. It still does actually. Even though it works, I am not 100% why, nor why my setup would not work. I have quite a bit more digging to do on my original setup to se why all else worked appart from the EP update from UNC process. (if the client was internet connected it updated from the web ok)
Firstly I had my updates set to UNC as the first and CM2012 SP1 as the second,
The post mentions to only use UNC – so I am ok with that.
What is more concerning to me is that the content for the folder in the post is nowhere else on My CM2012 server. Its not in my regular software update folder tree nor the folder I created for the Endpoint protection Automatic Deployment Rule as per (I think a tech net Guide) I read at the end of the post a note saying how to use a script to automate the deployment . So does this mean that I cannot use an Automated Deployment rule to download and keep up to date ? and are these components not part of the “normal” SCCM/Software updates/endpoint protection Catalog

 

Thank You

[anyweb]

I haven't tried using an ADR to download these updates as they are targetted for UNC shares so getting the updates via Configuration Manager is not part of this deal, we already know that getting updates via ADR's works fine, UNC based updates are a special case scenario

 

the method of installing updates via a UNC share is (for example) to help install updates on servers that don't have an internet connection, so in that respect you could say that yes they are not part of normal Configuration Manager updates, and that is why you should use a script to automate the frequency and download of these updates (for UNC shares)

 

cheers

niall

[MXM2000]

hi Niall & thank you for your always help

 

maybe my question is silly, but as for the links you provided for definition, how can i know the latest version signature?

is there a link show me a list for all definitions (expired, latest, etc) and i start downloading it, or should i download the those definitions you provided (which mean this link is auto updated from Microsoft) if this is the case what date and specific time should i do the download?

 

i did access to this link http://www.microsoft.com/security/portal/definitions/adl.aspx , but it does not show the list for endpoint protection accept visiting a link

BR

[anyweb]

the links i provided are the same url's used to automatically update definition updates from Microsoft, see here

 

• If you are running a 32-bit Windows operating system, download the latest updates manually at http://go.microsoft.com/fwlink/?LinkID=87342 (http://go.microsoft.com/fwlink/?LinkID=87342).

• If you are running a 64-bit Windows operating system, download the latest updates manually at http://go.microsoft.com/fwlink/?LinkID=87341 (http://go.microsoft.com/fwlink/?LinkID=87341).

 

if you want to get more details about when they are updated see this link

[MXM2000]

thank you Niall

 

 

I already have deployed EP to all workstation (Auto deployment) in the organization and after your subject i added the UNC feature to it also, and i created a share folder on the CAS server.

question:

i have about 15 distribution point (in 15 city), if i create a share folder in each distribution point does the client take the update from it is distribution point, or it will go the CAS serve to take it.

[MXM2000]

sorry for spelling the name wrong.

 

as for

• Antimalware delta definitions
• Network-based exploit definitions (Enabled in our system)

should it be also downloaded always with the EP definition or it is one time downloading.

 

you may ask for the previous Post regarding to distribution points, in fact i am getting problems with the ADR, my success rate before was 95.5% now it is going low to 87%, and the updating from internet is blocked.

that's why i need to depend on sharing while we try to fix the issue of

[anyweb]

the clients will get their updates from the sources in the order that you specify so if you specify only UNC shares then that's where they'll get them from,

is that enough info ?

[MXM2000]

i understand you, Thank you for your support