Recently I got request to help to solve the issue when SCEP definition updates do not install through SCCM.
So first I checked the basic configuration:
1) That SCCM Client Settings for Endpoint Protection were configured - they were!
2) That there was an antimalware policy in place - there was!
3) That Auto-deploy rule was created and working to deploy SCEP definition updates - it was and it targeted the affected computers!
So I started to inspect client logs, but there was no relevant information, I was a bit confused when I saw that SCCM client even didn't scan for SCEP definition updates.
Then I found out that there was a mainteance windows create for affected computers. And this was the problem. Maintenance window was created with one occurance in the past, so clients never attempted to install these updates, because mainteance window never opened.
After removing the maintenance window most of SCCM clients starteted to install SCEP definition updates, but there were still some "clients at risk" in the SCEP monitoring node in SCCM console.
I connected to a problematic client, and saw that SCEP was red in notification are, it also showed that realtime protection was off. In SCCM client logs folder EndpointProtectionAgent.log showed that SCEP agent version was less than expect so SCEP policy was not applied and so no definitions were being installed. After installing latest SCEP agent version everything started to work as expected!