KB2828233 Update for System Center 2012 Endpoint Protection

Ok so this SCEP Update has been released some time ago, but i have seen and heard some confusion on how to get this Update installed properly into the ConfigMgr environments.


The KB2828233 update itself is a server update and you need to install it on your Primary Site servers as you do with the SP’s, CU’s and other Hotfixes.

What it will do on the server is that it will:

  • Install itself as an Update to Endpoint Protection to the local EP Client on the server.
  • Create a Server Update Package in ConfigMgr in the Packages folder “Configuration Manager Updates”.
  • A SCUP catalog folder will also be placed in the ConfigMgr install folder “.\Program Files\Configuration Manager\hotfix\KB2828233\SCUP” for those of you that use SCUP for updating your Site Servers.
  • Update the scepinstall.exe file in the ConfigMgr install folder “.\Program Files\Configuration Manager\Client” to version (Remember to right click your native “Configuration Manager Client Package” and update you Distribution Points)

Now… “Some of you are already thinking: I cant wait for the part of updating Endpoint Protection on the already in-place/installed clients!”
And here it comes:

Its actually quite the anti climax, because in KB2828233 there is no update for you clients… So forget about KB2828233, or actually not –wait up! Because there are a couple of ways to update SCEP on your clients by using KB2828233 alone:

  1. Manually update all your clients from the SCEP interface on your clients (If you only have 2 clients then thats ok – if you have more then 50 –> AVOID…)
  2. Change ConfigMgr Site Settings to “Upgrade client automatically when new client updates are available” (I wouldnt do this either).


But here comes the anti climax – there’s an update available from Windows Updates… buuhhuuu


You can go to your Software Updates section and go into All Software Updates and find KB2831316 which actually is the Update for your clients (And this is what i would recommend you to do at anytime!)


So to sum up – Install KB2828233 as a server update and update the native “Configuration Manager Client Package” for the coming client deployments.
And make sure KB2831316 is deployed to your active/in-place clients as a Windows Update via your normal Software Update process.

Now go be secure… Cheers

By |2013-06-12T16:59:26+00:00June 12th, 2013|Configuration Manager (SCCM), Security|4 Comments

About the Author:

Henrik Hoe
ConfigMgr specialist that started many years ago with SMS 2003 and been with the product/concept ever since. (Fanatical some would say - i can only agree) Experienced with large customer environments and architecture.MCPMCTS: ConfigMgr 2012MCSA: Windows Server 2012MCT


  1. Steinar June 18, 2013 at 9:36 - Reply

    Great guide, Henrik!

  2. Curbysan June 27, 2013 at 13:48 - Reply

    Hi Henrik
    I’ve been hoping for an article like this!! – been trying to gather help/discussion on the topic here: http://social.technet.microsoft.com/Forums/forefront/en-US/7cb3f2b6-19e3-41f7-8ea1-6634b54d4cd1/installing-kb2828233-to-cm2012-and-kb2827684-to-cm2007

    I was disappointed with the lack of documentation/guides by MS, its not clear at all that you need to update 2 different places with 2 different KB IDs!

    thanks again…

    one quick question – The server install (KB2828233) creates a new package to be targeted at servers, in the setup it states to target SMS provider servers – is this correct?? – upon deployment to my SMS providers the install fails and the logs suggest that the update isn’t needed (seems to try and update files that are already updated during SP1 CU1)

    thanks again

  3. Emily November 26, 2013 at 1:38 - Reply

    Hi Henrik,

    KB2828233 is now replaced by KB2865173. Do you have the same procedure like this? Your documentation helped me a lot. Thank you!

Leave A Comment