I am in the process of deploying SCEP 2012 R2 as a replacement for another antivirus/antimalware product.
We have decided against the full SCCM suite as it seems way too much work with little benefit for a relatively small operation like ours.
Most of our Windows deployments are virtual machines managed by SCVMM and all come from a few vm templates, so I am simply installing Endpoint Protection manually in the templates as well as in pre-existing vm's and physical servers and laptops.
Additionally I am going to be managing Endpoint Protection settings with Group Policies.
Mostly this seems to be working fine and I have set each Endpoint Protection instance to fetch definition updates directly from Windows Update / Microsoft Update. Specifically, in the signature updates section of the group policies, I have enabled 3 settings:
- Allow definition updates from Microsoft Update
- Allow real-time definition updates based on reports to MAPS
- Allow notifications to disable definitions based reports to MAPS
And fundamentally this seems to work.
However: As far as I can tell, each new set of available definitions turns in to an Important Update in Windows Update on the Windows machine in question, thus requesting users attention and urging him or her to take action to download the new definitions. I do not want that. I just want SCEP to fetch new definitions in the backgroung when it needs to, and to let users get on with their work.
Can this be achived with GPOs but without SCCM or WSUS?
P.S. Is this the right forum for System Center 2012 R2 Endpoint Protection?