I've configured definition updates for Endpoint Protection in SCCM 2012 following the directions here. I've created and deployed my Antimalware Policy and set my "Definition updates" source to only use "Updates distributed from Configuration Manager." Everything appears to be going swimmingly - definition updates are being downloaded to my SUP server at the specified interval, and my test workstations are receiving the updates.
What I've noticed, however, is if I go into the Endpoint Protection client on the workstation, and click on the "Update" button to initiate a manual definition download, the workstation attempts to contact Microsoft Updates on the web, rather than my SCCM server:
(The update is failing because I removed the default gateway in the workstation network settings to prevent it from being able to go out to the internet.)
But, like I said, if I leave the machine alone, then every 8 hours (the time frame I specified in SCCM), it receives updated definitions from the SCCM server.
Is this behavior by design?
Shaun