If you use WSUS to keep your antimalware definitions up to date, you can configure it to auto-approve definition updates.
Although using Configuration Manager software updates is the recommended method to keep definitions up to date, you can also configure WSUS as a method to allow users to manually initiate definition updated.
To accomplish this task, you can configure automatic approval for revisions and automatic declining of expired updates.
For more information, see Microsoft Knowledge Base article 938947.
The feature is the ability to automatically deploy software updates to clients and it can be utilized to automatically deploy Forefront Endpoint Protection 2010 antimalware definition updates to Config Mgr clients.
For more information on deploying Forefront Endpoint Protection 2010 with Configuration Manager as well as how to create an Automatic Deployment Rule for Forefront Endpoint Protection 2010 antimalware definition updates, please see the following:
An Automatic Deployment Rule in System Center 2012 Configuration Manager DOES NOT verify that the corresponding products or classifications that are selected are also selected on the Software Update Point itself. On the Central Administration Server (CAS), navigate to Administration\Overview\Site Configuration\Sites. In the results pane on the right, highlight the servername that has the type of “CAS”.
If you have a single server install, highlight the server listed. In the ribbon at the top, click Configure Site Components and in the dropdown select Software Update Point. Select the Products tab and then place a check next to Forefront Endpoint Protection 2010. Review the Languages/Classifications tabs to ensure that the items selected in the Automatic Deployment Rules are also selected on the properties of the Software Update Point. There is no need to manually initiate a synchronization as Configuration Manager will detect a change (step 4 above) and automatically start a synchronization.
Does anyone know how to manually push endpoint protection definition updates to a client through SCCM 2012 R2? I just want to force System Center to manually download them to the endpoint.
We are running an audit on our devices and I've found that a small percentage (around 5%? Right-clicking on the device in Configuration Manager and looking at the Endpoint Protection option gives me these options: Full Scan, Quick Scan, Download Definition. But if I pick Download Definition, I then get the following Neither option (of course) actually updates the definitions on the endpoint.
But since this problem is not isolated to specific devices, this is not a realistic solution.