The Sysadmins

Tips and tricks from the Sysadmins

SCCM 2012 – SCEP UNC Definition Updates Automation with Powershell

One of the choices for SCEP (System Center Endpoint Protection) definition update sources in SCCM 2012 is from a UNC file share, however in typical SCCM fashion there is a bit of leg work required to use this method. This post will explain the steps involved to make this happen.

1. Create a Folder Structure and Share

Create a folder structure to share the SCEP definition update files, the top level folder name does not matter, in this example I’m using SCEPUpdates. Within this folder create two folders, one named x86 for x86 machines and one named x64 for x64 machines. Share the SCEPUpdates folder. Ensure the client computers and the domain users connecting to the share have read permissions to the share. During an automatic update, the client computer account is used to authenticate to the share. When a user manually updates their definitions by clicking Update, that user account is used to authenticate to the share. You will want to use DFS or similar if you have multiple locations to distribute the files.

SCEPFOLDERS

2. Powershell Script to Automate Definition File Downloads

There are 6 files in total to download, 3 for x64 machines and 3 for x86 machines.

  • Mpam-fe.exe – Full Definitions
  • Mpam-d.exe – Delta Definitions
  • Nis_full.exe – Network-based exploit definitions

For more information and direct links to the definition files see here (or refer to the Powershell script below).

I’ve put together a Powershell script to download the 6 definition update files to a UNC path.


$x64S1 = "//go.microsoft.com/fwlink/?LinkID=121721&clcid=0x409&arch=x64"
$x64D1 = "\\server\SCEPUpdates\x64\mpam-fe.exe"
$x64S2 = "//go.microsoft.com/fwlink/?LinkId=211054"
$x64D2 = "\\server\SCEPUpdates\x64\mpam-d.exe"
$x64S3 = "//go.microsoft.com/fwlink/?LinkId=197094"
$x64D3 = "\\server\SCEPUpdates\x64\nis_full.exe"
$x86S1 = "//go.microsoft.com/fwlink/?LinkID=121721&clcid=0x409&arch=x86"
$x86D1 = "\\server\SCEPUpdates\x86\mpam-fe.exe"
$x86S2 = "//go.microsoft.com/fwlink/?LinkId=211053"
$x86D2 = "\\server\SCEPUpdates\x86\mpam-d.exe"
$x86S3 = "//go.microsoft.com/fwlink/?LinkId=197095"
$x86D3 = "\\server\SCEPUpdates\x86\nis_full.exe"
$wc = New-Object System.Net.WebClient
$wc.DownloadFile($x86S1, $x86D1)
$wc.DownloadFile($x86S2, $x86D2)
$wc.DownloadFile($x86S3, $x86D3)
$wc.DownloadFile($x64S1, $x64D1)
$wc.DownloadFile($x64S2, $x64D2)
$wc.DownloadFile($x64S3, $x64D3)

This is great for one off downloads, but we want to automate the task. The next step is to create a schedule task to the run the script every x hours. The action should point towards the Powershell script above, you can simply use powershell -file “script.ps1” as the action.

SCEPAUTOMATE1

This schedule kicks the first download off every day at 12:05am and updates the definition files every 4 hours.

SCEPAUTOMATE2

Confirm the scheduled task is running every 4 hours and updating the files correctly before moving onto the next step.

3. Configure Definition Update Sources

Open the System Center 2012 Configuration Manager console and browse to Assets and Compliance -> Endpoint Protection -> Antimalware Policies and select the policy you would like to configure.

SCEP Set Sources

From the left hand menu choose Definition Updates and choose “Set Source”. Tick “Updates from UNC File Shares” and move to the top of the list, un-tick other sources if necessary. Click OK.

SCEP Updates from UNC File Shares

Choose Set paths, add the UNC path and OK.

Configure Definition Update UNC Paths

To confirm the clients are pointing to the right location and using the UNC share configured above, wait (or manually) update the client’s policy and browse to the following registry path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Antimalware\Signature Updates (or HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Policies\Microsoft\Microsoft Antimalware\Signature Updates) and review DefinitionUpdateFileSharesSources.

DefinitionUpdateFileSharesSources

1 Comment

  1. Giovanni Eliziario

    April 2, 2014 at 8:09 pm

    Hi! Great stuff, but if configured to download as a task, when some file is oppened by a client downloading updates, it fails to save on folder and save, cause the file is blocked.

    I use the script to download manually, and uses the command lines bellow to stop and start the sharing.

    net share SCEP_UNC_DEFS /delete /Y
    pause

    NOW RUN THE .VBS or PS1 to download

    net share SCEP_UNC_DEFS=”D:\SCEP_UNC_DEFS”
    pause

    Regards!

Leave a Reply

Your email address will not be published.

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.