Enable Endpoint Protection malware definitions to download from WSUS for Configuration Manager
Applies to: Configuration Manager (current branch)
If you use WSUS to keep your antimalware definitions up to date, you can configure it to auto-approve definition updates. Although using Configuration Manager software updates is the recommended method to keep definitions up to date, you can also configure WSUS as a method to allow users to manually update definitions. Use the following procedures to configure WSUS as a definition update source.
Synchronize definition updates for Configuration Manager
In the Configuration Manager console, go to the Administration workspace, expand Site Configuration, and then select Sites.
Select the site that contains your software update point. In the Settings group of the ribbon, select Configure Site Components, and then select Software Update Point.
In the Software Update Point Component Properties window, switch to the Classifications tab. Select Definition Updates.
To specify the Products updated with WSUS, switch to the Products tab.
For Windows 10 and later: Under Microsoft > Windows, select Microsoft Defender Antivirus.
For Windows 8.1 and earlier: Under Microsoft > Forefront, select System Center Endpoint Protection.
Select OK to close the Software Update Point Component Properties window.
Approve definition updates
Endpoint Protection definition updates must be approved and downloaded to the WSUS server before they're offered to clients that request the list of available updates. Clients connect to the WSUS server to check for applicable updates and then request the latest approved definition updates.
Approve definitions and updates in WSUS
In the WSUS administration console, select Updates. Then select All Updates or the classification of updates that you want to approve.
In the list of updates, right-click the update or updates you want to approve for installation, and then select Approve.
In the Approve Updates window, select the computer group for which you want to approve the updates, and then select Approved for Install.
Configure an automatic approval rule
You can also set an automatic approval rule for definition updates and Endpoint Protection updates. This action configures WSUS to automatically approve Endpoint Protection definition updates downloaded by WSUS.
In the WSUS administration console, select Options, and then select Automatic Approvals.
On the Update Rules tab, select New Rule.
In the Add Rule window, under Step 1: Select properties, select the option: When an update is in a specific classification.
Under Step 2: Edit the properties, select any classification.
Clear all options except Definition Updates, and then select OK.
In the Add Rule window, under Step 1: Select properties, select the option: When an update is in a specific product.
Under Step 2: Edit the properties, select any product.
Clear all options except System Center Endpoint Protection for Windows 8.1 and earlier or Windows Defender for Windows 10 and later. Then select OK.
Under Step 3: Specify a name, enter a name for the rule, and then select OK.
In the Automatic Approvals dialog box, select the newly created rule, and then select Run rule.
Note
To maximize performance on your WSUS server and client computers, decline old definition updates. To accomplish this task, you can configure automatic approval for revisions and automatic declining of expired updates. For more information, see Microsoft Support article 938947.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for