Long story short, there was an "Update for System Center Endpoint Protection 2012 Client" installed last month, and because a reboot was suppressed in ADR, definition updates couldn't be installed anymore. After reboot of servers everything was working fine again. Pity that this couldn't be seen on the SCEP dashboard!
Note: Doing a repair on the ConfigMgr client (Console Extensions) did the trick also, so no need to reboot every server.
Source: Microsoft TechNet