Planning for Definition Updates

Applies To: Forefront Endpoint Protection

Computers running the FEP client software automatically check for definition updates according to the schedule defined by the policy that is deployed to them.

When you are planning for definition updates in your environment, you should consider the following factors:

  • For Software Update or Windows Server Update Services definition updates:

    • Ensure you have configured your network to allow communication between the computer running WSUS and the internet. For more information about how to configure your network for WSUS, see Configure the Network ( in the WSUS documentation.

    • You must either manually approve each definition update downloaded from Microsoft Update to your WSUS server, or you can configure an automatic approval rule. For more information about automatic approval rules, see Software Updates and Windows Server Update Services Definition Updates.

    • You should consider branch office locations and WSUS server locations. If you have client computers distributed among branch offices, depending on the network connection speed and utilization, it may be more efficient to configure those client computers to retrieve definition updates directly from Microsoft Update.

  • For Microsoft Update definition updates:

    • If you plan to support direct update via Microsoft Update, ensure that you have the appropriate network ports opened for communication to the Microsoft Update servers.


      To ensure that your client computers always have the latest definition updates, you should enable direct updates via Microsoft Update for all client computers, not just portable computers. For more information about configuring client computers Microsoft Update, see Microsoft Update Definition Updates.

  • For File-Share-Based definition updates:

    • When you configure clients to check a file share for definition updates, by default, clients check the file share first, before checking WSUS or Microsoft Update. This order can be changed. For more information, see Configuring Definition Updates.

    • Ensure that the client computers connecting to the share in which you stored the definition files have Read permissions.

    • There are two files to download for each architecture (either x86 or x64):

      • The antimalware definitions

      • The network-based exploit definitions

      Ensure you download both files for both architectures, and then save those files without renaming them according to the steps described in File-Share-Based Definition Updates.