SCEP Definition Automatic Deployment Rule in SCCM 2012 R2

If you have setup your SCCM environment with the Microsoft product, System Centre Endpoint Protection (SCEP) and have deployed the SCEP agent to your client computers the next task you need to complete is the creation of an Automatic Deployment Rule for the antivirus updates.  Automatic Deployment Rules as the name suggests, automate the deployment of updates and definitions to your environment. You can set deadlines when things should install, maintenance windows when reboots and installation should occur and also the download of Windows updates ( you can specify products you would like updates to download for and what severity ie critical, important and security) and SCEP definitions without any manual intervention.

Creating an Automatic Deployment Rule for System Centre Endpoint Protection (SCEP) definition updates in SCCM can help streamline the process of deploying and updating antivirus definitions across an organization. By automating the deployment of updates and definitions, IT administrators can save time and ensure that all client computers have the latest protection against known threats. With SCCM’s customization options, administrators can set deadlines for updates, specify maintenance windows, and even control the download of Windows updates. This ensures that updates are deployed efficiently and without any manual intervention, allowing administrators to focus on other important tasks.


Creating an Automatic Deployment Rule in SCCM 2012 R2 for SCEP Definition Deployment

Create Automatic Deployment Rule

Open your SCCM 2012 console and navigate to Software Library – Overview – Software Updates – Automatic Deployment Rules. 

Right click Automatic Deployment Rules and then choose Create Automatic Deployment Rule 


SCEP ADR – General Tab

Now specify a descriptive name for the Automatic Deployment Rule, a description that will easily identify what this ADR is for and then choose an appropriate template from the dropdown box (I have chosen the standard definitions updates). Then Click on Next

SCEP Definition Updates

SCEP ADR – Deployment Settings Tab

I left the settings as default on this page as I want to automatically approve any license agreements and dont have a requirement to wake up client computers. If you want to deploy the SCEP updates after hours while your client computers are off and wish to wake them up for the client updates (this depends on if your environment has Wake On Lan capability) choose the Wake On Lan checkbox.

SCEP Automatic Deployment Rule

SCEP ADR – Software Updates Tab

Make sure that the search criteria is correct, that the Product says Forefront Endpoint Protection 2010 or Windows Defender and that the Update Classification shows Definition Updates and choose next.

SCEP Definition Automatic Deployment Rule

SCEP ADR – Evaluation Schedule Tab

Choose how often the Software Update Point synchronises.

SCEP Definition ADR

SCEP ADR – Deployment Schedule Tab

Now we can configure when the updates are available to be installed on client computers. In the example below, I left this as the default 1 Hour. You can choose what ever is suitable for your environment.

SCEP Updates

SCEP ADR – User Experience Tab

The following screen is where you set whether or not you will notify the users that there is a new SCEP definition update available for their machines. Most often than not, it is best to suppress these notifications from the end user as there could be multiple updates released daily. Notifying them every few hours would surely annoy them, which in turn they will annoy the Administrator.

SCEP Definition Deployment

SCEP ADR – Alerts Tab

If you have System Centre Operations Manager (Microsoft’s SCOM) you can choose whether any alerts are enabled / disabled and if required, what conditions to generate an alert


SCEP ADR – Download Settings Tab

Now we are up to the Download Settings page. Choose the option that is suitable to your environment. It is always a good idea, if you have lots of remote sites without an SCCM distribution Point available, to allow the clients to share content with other clients on the same subnet.


SCEP ADR – Deployment Package Tab

On this page, we are creating a new deployment package for the Definitions Updates. Again, it is good practice to give a descriptive name and description that is easily identifiable to others. Also, choose a source location with enough storage to store the definitions.

System Centre Endpoint Protection

SCEP ADR – Distribution Points Tab

Choose which distribution points you would like the update definitions to be shared to and from. I choose the All Distribution Points as I want the updates available from everywhere in the environment.

SCCM System Centre Endpoint Protection

SCEP ADR – Download Location Tab

If you are downloading the definition updates manually, you can set the location for where SCCM should look for new definitions. If not, choose Download Software Updates from the Internet and click on Next.

SCCM Antivirus

SCEP ADR – Language Selection Tab

Specify which languages you wish the SCEP definition update to deploy as. You can choose multiple languages as required.

SCCM SCEP Antivirus

SCEP ADR – Summary Tab

Review the Summary page to confirm you are happy with the settings you have chosen. Once you are satisfied with your selection, click Next.

SCCM SCEP Antivirus updates

SCEP ADR – Progress Tab

The Automatic Deployment Rule will quickly run through some checks, and once completed, click on Close.

SCCM SCEP Antivirus definitions

SCEP ADR – Manual Invocation

That is all there is too it. The Automatic Deployment Rule will run with all the settings you have selected. If you ever wish to manually run the rule, right click it and choose run now.

SCCM SCEP Antivirus definition deployment

Click on the link to see how to create an SCCM Automatic Deployment Rule for Windows Updates.

SCCM ADR for SCEP Conclusion

Creating an Automatic Deployment Rule in SCCM 2012 R2 for SCEP Definition Deployment is a straightforward process that can save administrators valuable time. Once you set up the Automatic Deployment Rule, the updates will deploy to your client computers without any manual intervention.