启用 Endpoint Protection 恶意软件定义,以从 Configuration Manager 的 WSUS 中下载Enable Endpoint Protection malware definitions to download from WSUS for Configuration Manager

适用范围: Configuration Manager (Current Branch)Applies to: Configuration Manager (current branch)

如果使用 WSUS 来使反恶意软件定义保持最新,可以将其配置为自动批准定义更新。If you use WSUS to keep your antimalware definitions up to date, you can configure it to auto-approve definition updates. 尽管推荐使用 Configuration Manager 软件更新使定义保持最新,但你也可将 WSUS 配置为允许用户手动更新定义。Although using Configuration Manager software updates is the recommended method to keep definitions up to date, you can also configure WSUS as a method to allow users to manually update definitions. 使用以下过程将 WSUS 配置为定义更新源。Use the following procedures to configure WSUS as a definition update source.

同步 Configuration Manager 定义更新Synchronize definition updates for Configuration Manager

  1. 在 Configuration Manager 控制台中,转到“管理”工作区,展开“站点配置”,然后选择“站点” 。In the Configuration Manager console, go to the Administration workspace, expand Site Configuration, and then select Sites.

  2. 选择包含你的软件更新点的站点。Select the site that contains your software update point. 在功能区的“设置”组中,选择“配置站点组件”,再选择“软件更新点” 。In the Settings group of the ribbon, select Configure Site Components, and then select Software Update Point.

  3. 在“软件更新点组件属性”窗口中,切换到“分类”选项卡 。选择“定义更新” 。In the Software Update Point Component Properties window, switch to the Classifications tab. Select Definition Updates.

  4. 若要指定随 WSUS 一起更新产品,请切换到“产品”选项卡 。To specify the Products updated with WSUS, switch to the Products tab.

    • 对于 Windows 10 及更高版本:在“Microsoft”>“Windows”下,选择“Windows Defender” 。For Windows 10 and later: Under Microsoft > Windows, select Windows Defender.

    • 对于 Windows 8.1 及更低版本:在“Microsoft”>“Forefront”下,选择“System Center Endpoint Protection” 。For Windows 8.1 and earlier: Under Microsoft > Forefront, select System Center Endpoint Protection.

  5. 单击“确定”以关闭“软件更新点组件属性”窗口 。Select OK to close the Software Update Point Component Properties window.

同步独立 WSUS 的定义更新Synchronize definition updates for standalone WSUS

WSUS 服务器未集成到 Configuration Manager 环境中时,请使用以下过程来配置 Endpoint Protection 更新。Use the following procedure to configure Endpoint Protection updates when your WSUS server isn't integrated into your Configuration Manager environment.

  1. 在 WSUS 管理控制台中,展开“计算机”,选择“选项”,然后选择“产品和分类” 。In the WSUS administration console, expand Computers, select Options, and then select Products and Classifications.

  2. 若要指定随 WSUS 一起更新产品,请切换到“产品”选项卡 。To specify the Products updated with WSUS, switch to the Products tab.

    • 对于 Windows 10 及更高版本:在“Microsoft”>“Windows”下,选择“Windows Defender” 。For Windows 10 and later: Under Microsoft > Windows, select Windows Defender.

    • 对于 Windows 8.1 及更低版本:在“Microsoft”>“Forefront”下,选择“System Center Endpoint Protection” 。For Windows 8.1 and earlier: Under Microsoft > Forefront, select System Center Endpoint Protection.

  3. 切换到“分类” 选项卡。选择“定义更新”和“更新” 。Switch to the Classifications tab. Select Definition Updates and Updates.

审批定义更新Approve definition updates

必须先批准 Endpoint Protection 定义更新并将其下载到 WSUS 服务器,然后再将其提供给请求可用更新列表的客户端。Endpoint Protection definition updates must be approved and downloaded to the WSUS server before they're offered to clients that request the list of available updates. 客户端连接到 WSUS 服务器以检查适用的更新,然后请求最新批准的定义更新。Clients connect to the WSUS server to check for applicable updates and then request the latest approved definition updates.

审批 WSUS 中的定义和更新Approve definitions and updates in WSUS

  1. 在 WSUS 管理控制台上,选择“更新” 。In the WSUS administration console, select Updates. 然后选择“所有更新” 或选择想要审批的更新的分类。Then select All Updates or the classification of updates that you want to approve.

  2. 在更新列表中,右键单击想要批准进行安装的更新,然后选择“批准” 。In the list of updates, right-click the update or updates you want to approve for installation, and then select Approve.

  3. 在“批准更新”窗口中,选择想要为其批准更新的计算机组,然后选择“批准安装” 。In the Approve Updates window, select the computer group for which you want to approve the updates, and then select Approved for Install.

配置自动批准规则Configure an automatic approval rule

还可为定义更新和 Endpoint Protection 更新设置自动批准规则。You can also set an automatic approval rule for definition updates and Endpoint Protection updates. 此操作会将 WSUS 配置为自动批准 WSUS 下载的 Endpoint Protection 定义更新。This action configures WSUS to automatically approve Endpoint Protection definition updates downloaded by WSUS.

  1. 在 WSUS 管理控制台中,选择“选项”,然后选择“自动批准” 。In the WSUS administration console, select Options, and then select Automatic Approvals.

  2. 在“更新规则”选项卡上,选择“新规则” 。On the Update Rules tab, select New Rule.

  3. 在“添加规则” 窗口的“步骤1: 选择属性”下,选择“当更新位于特定分类中时”选项 。In the Add Rule window, under Step 1: Select properties, select the option: When an update is in a specific classification.

    1. 在“步骤 2: 编辑属性”下,选择“任何分类” 。Under Step 2: Edit the properties, select any classification.

    2. 清除除“定义更新”以外的所有选项,然后选择“确定” 。Clear all options except Definition Updates, and then select OK.

  4. 在“添加规则” 窗口的“步骤1: 选择属性”下,选择“当更新位于特定产品中时”选项 。In the Add Rule window, under Step 1: Select properties, select the option: When an update is in a specific product.

    1. 在“步骤 2: 编辑属性”下,选择“任何产品” 。Under Step 2: Edit the properties, select any product.

    2. 除“System Center Endpoint Protection”(用于 Windows 8.1 及更早版本)或“Windows Defender”(用于 Windows 10 及更高版本) 外,清除其余所有选项。Clear all options except System Center Endpoint Protection for Windows 8.1 and earlier or Windows Defender for Windows 10 and later. 然后选择“确定” 。Then select OK.

  5. 在“步骤 3: 指定一个名称”下,为该规则输入名称,然后选择“确定” 。Under Step 3: Specify a name, enter a name for the rule, and then select OK.

  6. 在“自动批准”对话框中,选择新创建的规则,然后选择“运行规则” 。In the Automatic Approvals dialog box, select the newly created rule, and then select Run rule.

备注

若要使 WSUS 服务器和客户端计算机上的性能最大化,则拒绝旧定义更新。To maximize performance on your WSUS server and client computers, decline old definition updates. 若要完成此任务,可以配置自动批准修订和自动拒绝过期更新。To accomplish this task, you can configure automatic approval for revisions and automatic declining of expired updates. 有关详细信息,请参阅“Microsoft 支持”文章 938947For more information, see Microsoft Support article 938947.