One of the choices for SCEP (System Center Endpoint Protection) definition update sources in SCCM 2012 is from a UNC file share, however in typical SCCM fashion there is a bit of leg work required to use this method. This post will explain the steps involved to make this happen.
1. Create a Folder Structure and Share
Create a folder structure to share the SCEP definition update files, the top level folder name does not matter, in this example I’m using SCEPUpdates. Within this folder create two folders, one named x86 for x86 machines and one named x64 for x64 machines. Share the SCEPUpdates folder. Ensure the client computers and the domain users connecting to the share have read permissions to the share. During an automatic update, the client computer account is used to authenticate to the share. When a user manually updates their definitions by clicking Update, that user account is used to authenticate to the share. You will want to use DFS or similar if you have multiple locations to distribute the files.
2. Powershell Script to Automate Definition File Downloads
There are 6 files in total to download, 3 for x64 machines and 3 for x86 machines.
- Mpam-fe.exe – Full Definitions
- Mpam-d.exe – Delta Definitions
- Nis_full.exe – Network-based exploit definitions
For more information and direct links to the definition files see here (or refer to the Powershell script below).
I’ve put together a Powershell script to download the 6 definition update files to a UNC path.
$x64S1 = "//go.microsoft.com/fwlink/?LinkID=121721&clcid=0x409&arch=x64" $x64D1 = "\\server\SCEPUpdates\x64\mpam-fe.exe" $x64S2 = "//go.microsoft.com/fwlink/?LinkId=211054" $x64D2 = "\\server\SCEPUpdates\x64\mpam-d.exe" $x64S3 = "//go.microsoft.com/fwlink/?LinkId=197094" $x64D3 = "\\server\SCEPUpdates\x64\nis_full.exe" $x86S1 = "//go.microsoft.com/fwlink/?LinkID=121721&clcid=0x409&arch=x86" $x86D1 = "\\server\SCEPUpdates\x86\mpam-fe.exe" $x86S2 = "//go.microsoft.com/fwlink/?LinkId=211053" $x86D2 = "\\server\SCEPUpdates\x86\mpam-d.exe" $x86S3 = "//go.microsoft.com/fwlink/?LinkId=197095" $x86D3 = "\\server\SCEPUpdates\x86\nis_full.exe" $wc = New-Object System.Net.WebClient $wc.DownloadFile($x86S1, $x86D1) $wc.DownloadFile($x86S2, $x86D2) $wc.DownloadFile($x86S3, $x86D3) $wc.DownloadFile($x64S1, $x64D1) $wc.DownloadFile($x64S2, $x64D2) $wc.DownloadFile($x64S3, $x64D3)
This is great for one off downloads, but we want to automate the task. The next step is to create a schedule task to the run the script every x hours. The action should point towards the Powershell script above, you can simply use powershell -file “script.ps1” as the action.
This schedule kicks the first download off every day at 12:05am and updates the definition files every 4 hours.
Confirm the scheduled task is running every 4 hours and updating the files correctly before moving onto the next step.
3. Configure Definition Update Sources
Open the System Center 2012 Configuration Manager console and browse to Assets and Compliance -> Endpoint Protection -> Antimalware Policies and select the policy you would like to configure.
From the left hand menu choose Definition Updates and choose “Set Source”. Tick “Updates from UNC File Shares” and move to the top of the list, un-tick other sources if necessary. Click OK.
Choose Set paths, add the UNC path and OK.
To confirm the clients are pointing to the right location and using the UNC share configured above, wait (or manually) update the client’s policy and browse to the following registry path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Antimalware\Signature Updates (or HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Policies\Microsoft\Microsoft Antimalware\Signature Updates) and review DefinitionUpdateFileSharesSources.