Anti-malware platform updates for Forefront Endpoint Protection/System Center Endpoint Protection will be released to Microsoft Update.

Anti-malware platform updates for Forefront Endpoint Protection/System Center Endpoint Protection will be released to Microsoft Update.

  • Comments 2
  • Likes

Author:  Minfang Lv, Software Development Engineer in Test, Configuration Manager Sustained Engineering

Updated 5/20/2014

Applies to: FEP 2010 SU1, SCEP 2012 SP1, SCEP 2012 R2

Starting April 8th, Microsoft will release all anti-malware platform updates for Forefront Endpoint Protection (FEP) and System Center 2012 Endpoint Protection (SCEP) through Microsoft Update (MU). To deliver the latest anti-malware platform updates to enterprise customers in a timely fashion, these updates will be made available approximately three times per year. The platform update will be published as follows category: Critical Updates, product: Forefront Endpoint Protection 2010. FEP/SCEP customers who are used to installing individual hotfixes to upgrade FEP/SCEP client computers with the latest platform updates now have a new option to apply important anti-malware platform updates more frequently.

The Configuration Manager team will still release standalone FEP/SCEP hotfixes for major anti-malware platform updates, or include these hotfixes in periodic cumulative updates.

When you deploy the anti-malware platform updates through MU (and the Configuration Manager Software Updates Management (SUM) feature) instead of hotfixes, MU leverages the Windows Update Agent to install the platform update instead of the Endpoint Protection Agent. So, you will lose inbox deployment status monitoring in the FEP/SCEP dashboard.

clip_image001

As a workaround, you can use the corresponding SUM compliance report to show the deployment status of the update:

Compliance 7 – Specific software update states <secondary> report in System Center Configuration Manager 2007;

Compliance 6 – Specific software update states <secondary> report in System Center 2012 Configuration Manager SP1/R2;

clip_image002

You may sometimes see the update deployment return error code 0x80070643. This error code could indicate that these computers are in a pending reboot state.

Anti-malware platform updates on MU will use special detection logic and applicability rules to make the anti-malware platform updates available only on computers with previous N-2 anti-malware platforms installed. For example, on April 8th, anti-malware platform of version 4.5.x will be released on MU, and it will only be offered to computers where anti-malware platform version 4.3.x or 4.4.x is available. If a computer has FEP or SCEP client with version 4.1.x, it has to be upgraded to version 4.3.x first, then to the latest version (4.5.x). If a computer has FEP or SCEP client with version older than 4.1.x, because of the same N-2 rule, it has to be upgraded to 4.1.x first, then to 4.3.x, and then to the latest version (4.5.x). Required updates will be kept on MU to ensure that this upgrade process is available for computers running older versions of the Microsoft anti-malware platform.

Because of this, we recommend that you always install the Configuration Manager hotfix or cumulative updates that contain the latest anti-malware platform updates to re-set the baseline in Forefront Endpoint Protection 2010 Update Rollup 1 and Configuration Manager 2012 SP1/R2, even if you wish to use SUM as the primary deployment method for anti-malware platform updates. This is to ensure that any new Configuration Manager client installation will install the latest version of the anti-malware platform, or will reduce the number of upgrades required to get the client to the latest version of anti-malware platform update.

Note: If you use SUM and the FEP 2010 hotfix at the same time, you may see a computer placed in the "Out-Of-Date" collection or the "Deployment Pending" collection although it has already been upgraded to the latest update platform. In FEP 2010, the version of the anti-malware platform is determined by that of a specific component.  However the update package shipped on MU will not update that specific component, therefore you will get the incorrect version number of the anti-malware platform and the incorrect collection membership.  If you fall into this situation, you can only use the SUM compliance report mentioned above to check the deployment status of the platform update. 

Update: The above issue has been addressed.  Please see http://support.microsoft.com/kb/2975384 for more details.

We recommend that you treat the anti-malware platform updates as you would other Configuration Manager updates, and follow your best practices for Configuration Manager update installation in your organization to pre-test it before deploying it to all client computers in your hierarchy.

--Minfang Lv

Configuration Manager Resources

Documentation Library for System Center 2012 Configuration Manager

System Center 2012 Configuration Manager Forums

System Center 2012 Configuration Manager Survival Guide

System Center Configuration Manager Support

This posting is provided "AS IS" with no warranties and confers no rights.

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • Thanks for the post. I'm curious though, in what way will future releases be different than what has already been released to the update catalog? For example, KB2884678 (AM platform update 4.3.215.0) and KB2907566 (AM platform update 4.4.304.0) have already been in the catalog and available to deploy as Software Updates.

  • WHERE IS THE LINK TO DOWNLOAD OFFLINE CLIENT INSTALLER FOR LATEST GREATEST SCEP VERSION? It is NOT ACCEPTABLE TO FORCE ONE TO ONLY BE ABLE TO GET IT VIA UPDATES!!!!!!! I need it for my images so they don't need to update it when they are first booted up. I design them to install it and do a sig update on first boot. I DO NOT WANT TO HAVE TO RUN THE UPDATES ON FIRST BOOT ETC. There is NO EXCUSE for MS to keep these updates from being findable etc....