News

Microsoft Endpoint Protection To Get Faster Updates

• By Kurt Mackie
• 03/28/2014

Microsoft is accelerating the product update process for its Endpoint Protection security solutions.

Updates to System Center 2012 Endpoint Protection, as well as the older Forefront Endpoint Protection solution, will be released three times per year, starting on April 8. All of the updates will arrive via the Microsoft Update service.

Delivery through Microsoft Update will be a new approach for organizations. They typically downloaded hotfixes to upgrade those products in the past. Microsoft plans to continue issuing hotfixes while also carrying out this new release scheme, according to Minfang Lv, a Microsoft software development engineer for the Configuration Manager Sustained Engineering team, in a blog post on Thursday.

While all of that may sound like good news, Lv pointed to a quirk associated with getting those product updates through the Microsoft Update service.

"When you deploy the anti-malware platform updates through MU (and the Configuration Manager Software Updates Management (SUM) feature) instead of hotfixes, MU leverages the Windows Update Agent to install the platform update instead of the Endpoint Protection Agent. So, you will lose inbox deployment status monitoring in the FEP/SCEP dashboard."

As a workaround, Lv suggested using the compliance report in the Software Updates Management feature to see the inbox deployment status.

Another potentially troublesome aspect of getting the product updates through Microsoft Update is that they only detect past updates going back two generations ("N-2"). So systems might need checking and updating first before receiving the latest update coming through the Microsoft Update service, Lv cautioned.

"Because of this, we recommend that you always install the Configuration Manager hotfix or cumulative updates that contain the latest anti-malware platform updates to re-set the baseline in Forefront Endpoint Protection 2010 Update Rollup 1 and Configuration Manager 2012 SP1/R2, even if you wish to use SUM as the primary deployment method for anti-malware platform updates," Lv explained.

In keeping with that theme, Cumulative Update 1 for System Center 2012 R2 Configuration Manager was released this week.

In a second blog post, Lv described a new Endpoint Protection feature that will arrive on April 8. The System Center 2012 Endpoint Protection and Forefront Endpoint Protection 2010 products will be capable of reporting the lifecycle stages of an operating system in a computing environment with this new update in place. That feature seems timed to coincide with Windows XP's loss of "extended support" on April 8.

For instance, the Endpoint Protection products will send alerts, if configured to do so, indicating three stages. Stage 1 is when the OS is approaching the end of its product lifecycle. Stage 2 is the so-called "grace period," in which the OS continues to run and continues to get antimalware definition updates. Stage 3 is the phase in which the antimalware service stops running altogether. Typically, the alerts would go to the IT pro administering the system, but Stage 3 alerts also will go to end users.

Microsoft noted back in January that it plans to continue delivering antimalware signatures for its security products through July 14, 2015. However, Windows XP still loses product and security patching support on April 8.