Software Updates and Windows Server Update Services Definition Updates

  • Article

Applies To: Forefront Endpoint Protection

When configuring your Forefront Endpoint Protection or FEP Security Management Pack deployment for WSUS-based definition updates, you must perform the following tasks:

  • Configure either the Software Updates area of Configuration Manager or your WSUS server to synchronize both updates and definition updates.

  • Approve the Endpoint Protection definitions in the WSUS administration console.

Configuring Update Synchronization

If you are using Forefront Endpoint Protection, you must configure Software Updates in Configuration Manager to synchronize the appropriate updates for the FEP client.

To synchronize FEP definition updates in Configuration Manager

  1. In the Configuration Manager Console, in the tree, expand Site Management, expand the site name, expand Site Settings, and then click Component Configuration.

  2. In the details pane, right-click Software Update Point Component, and then click Properties.

  3. On the Classifications tab, ensure that the Definition Updates check box and the Updates check box are selected.

  4. On the Products tab, ensure that the product Forefront Endpoint Protection 2010 check box is selected, and then click OK.

FEP client computers receive definition updates from a WSUS server. If you are using a WSUS server that is not integrated with Configuration Manager, you must configure the definition update synchronization in the WSUS administration console.

To synchronize FEP definition updates in WSUS

  1. Using an account that has local administrator user rights, log on to the computer running WSUS.

  2. Click Start, point to Administrative Tools, and then click Microsoft Windows Server Update Services.

  3. In the WSUS Administration console, in the tree, expand the Computers node, click Options, and then click Products and Classifications.

  4. In the Products and Classifications dialog box, on the Products tab ensure that the product Forefront Endpoint Protection 2010 check box is selected.

  5. On the Classifications tab, ensure that the Definition Updates check box and Updates check box are selected, and then click OK.

Approving Updates

Updates for the FEP client must be approved before those updates are offered to clients requesting the list of available updates. Clients connect to the WSUS server to check for applicable updates and then request the latest approved definition updates. Updates are only offered to clients when they are approved for installation and when the WSUS server has completed the binary download.

To approve definitions and updates in WSUS

  1. Using an account that has local administrator user rights, log on to the computer running WSUS.

  2. Click Start, point to Administrative Tools, and then click Microsoft Windows Server Update Services.

  3. In the WSUS Administration console, click Updates, and then click All Updates or the classification of updates you want to approve.

  4. On the list of updates, right-click the update or updates you want to approve for installation, and then click Approve.

  5. In the Approve Updates dialog box, click the arrow next to the computer group for which you want to approve the updates, and then click Approved for Install.

You can also set an Automatic Approval rule for definition updates and FEP updates, which configures WSUS to automatically approve for install any definition updates or FEP updates downloaded by WSUS.

To configure an automatic approval rule

  1. In the WSUS Administration console, click Options, and then click Automatic Approvals.

  2. On the Update Rules tab, click New Rule.

  3. On the Add Rule dialog box, under Step 1: Select properties, select the When an update is in a specific classification check box.

  4. Under Step 2: Edit the properties, click any classification.

  5. Clear all check boxes except Definition Updates, and then click OK.

  6. On the Add Rule dialog box, under Step 1: Select properties, select the When an update is in a specific product check box.

  7. Under Step 2: Edit the properties, click any product.

  8. Clear all check boxes except Forefront Endpoint Protection, and then click OK.

  9. In the Step 3: Specify a name box, enter a name for the Forefront Endpoint Protection Definition Updates rule, and then click OK.

  10. In the Automatic Approvals dialog box, make sure that the newly create rule Forefront Endpoint Protection 2010 Definition Updates check box is selected and then click Run rule.

Note

You should ensure you are declining older definition updates. Failing to do so may impact the performance of both your WSUS server and possibly your client computers. By configuring automatic approval for revisions and automatic declining of expired updates, you can accomplish this task. For more information, see Microsoft Knowledge Base article 938947 (https://go.microsoft.com/fwlink/?LinkId=204078).