In this post, you will learn how you can manage Microsoft Defender Antivirus updates using Intune. By leveraging Intune management capabilities, organizations can effectively manage Microsoft Defender Antivirus updates, ensuring that devices are protected against the latest security threats.
Microsoft Defender Antivirus is a robust security solution that helps protect Windows devices from malware and other security threats. Intune, on the other hand, is a cloud-based service provided by Microsoft that enables organizations to manage and secure their devices and applications.
Microsoft Defender for Endpoint introduces a powerful capability called Security Management for Microsoft Defender for Endpoint, allowing you to deploy security configurations from Microsoft Intune directly to your onboarded devices without the need for a complete Microsoft Intune device enrollment process.
Configure the gradual release rollout (Default option) of Defender Updates to targeted device groups. Use a ringed approach to test, validate, and roll out updates to devices through release channels. Updates available are platform, engine, and security intelligence updates.
With centralized control, automation, and monitoring, Intune streamlines the update process and provides administrators with the necessary tools to maintain a secure and up-to-date environment. These policy types have pause, resume, and manual rollback commands similar to Windows Update ring policies.
- Latest Microsoft Defender Antivirus Configuration Policy Settings In Intune
- Best Antivirus for Windows 11 Microsoft Defender | App Browser Protection | Firewall Protection
Microsoft Defender Version Details
Before getting into the details of deployment rings for Microsoft Defender Antivirus, let’s try to understand the different versions of Antivirus.
- The MS Defender Antimalware Client Version = Platform Version is the current Defender Version (Updated on a Monthly Basis – Platform Updates).
- The MS Defender Engine Version is the current version of the Defender scanning engine (Updated on a Monthly Basis – Engine Updates).
- The signature Version is the Antivirus/Antispyware Client Version (Updated on Multiple Times a Day Basis – Signature Updates)
signature Version is the Antivirus/Antispyware Client Version = Security intelligence update version: 1.391.860.0
Antimalware Client Version = Platform: 4.18.23050.5
Engine Version: 1.1.23050.2
Video – Microsoft Defender Antivirus Deployment Channel
Let’s understand what are the options to change the Microsoft Defender Antivirus Deployment Channel for monthly Engine and Platform updates.
Manage Microsoft Defender Antivirus Updates using Intune
With Intune, administrators can efficiently manage Microsoft Defender Antivirus updates across their organization’s devices, ensuring that all devices have the latest protection against emerging threats. Here’s an overview of how you can use Intune to manage Microsoft Defender Antivirus updates.
- Sign in to the Microsoft Intune admin center https://intune.microsoft.com/.
- Navigate to Endpoint security > Antivirus and click Create policy.
In the Endpoint security, On the Create a profile page, provide the following information and click Create.
- Platform: Select Windows 10 and later
- Profile: Select Defender Update controls
In Basics, You need to type the descriptive name for the Antivirus profile or a description to get it more clear for other references and Select Next.
On the Configuration settings page, configure the following settings and click Next.
Defender Components | Descriptions |
---|---|
Engine Updates Channel | Enable this policy to specify when devices receive Microsoft Defender engine updates during the monthly gradual rollout. |
Platform Updates Channel | Enable this policy to specify when devices receive Microsoft Defender platform updates during the monthly gradual rollout. |
Security Intelligence Updates Channel | Enable this policy to specify when devices receive Microsoft Defender security intelligence updates during the daily gradual rollout. |
MS Defender Antivirus Different Deployment Channel Options for Engine and Platform Updates
Let’s understand MS Defender Antivirus Different Deployment Channel Options for Engine and Platform Updates. The best option for most of the devices, as per Microsoft, is the DEFAULT one, which is a Gradual Rollout under Microsoft control.
0 – Not configured (Default) – The device will stay up to date automatically during the gradual release cycle. Suitable for most devices.
2 Beta Channel: Devices set to this channel will be the first to receive new updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. For use in (manual) test environments only and a limited number of devices.
3 Current Channel (Preview): Devices set to this channel will be offered updates earliest during the monthly gradual release cycle. Suggested for pre-production/validation environments.
4 Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population (~10%).
5 Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%).
6 Critical – Time delay: Devices will be offered updates with a 48-hour delay. Suggested for critical environments only.
You can create your own deployment rings for Microsoft Defender as per your organization’s requirements. For the security Intelligence Updates deployment channel select (for daily signature updates), you can select any of the options available. But I would recommend keeping it as the default one.
Here, you can assign Scope tags to filter the profile to specific IT groups. Add scope tags (if required) and click Next. Under Assignments, In Included Groups, click Add Groups, and then choose Select Groups to include one or more groups. Click Next to continue.
Now in Review + Create, review your settings. When you click on Create, your changes are saved, and the policy is created.
A notification will appear automatically in the top right-hand corner with a message. You can see that Policy “Microsoft Defender Antivirus Updates Channels – Configuration” was created successfully.
MS Defender Reporting
You can monitor Antivirus profile deployment by Navigating to the Properties tab. To monitor the run status of all assigned profiles for users and devices by choosing one of the following reports, Device status or User Status inside the monitoring.
- Antivirus Agent Status from Intune Defender Reports
- Device Status, Managed By, Anti-malware version, Engine version, Signature version, etc.
- Security Admin portal reporting
Results from Windows Client Side
You can use the PowerShell command or Event Logs to find out the details of MS Defender Antivirus Deployment channel changes.
Get-MpPreference | select EngineUpdatesChannel, PlatformUpdatesChannel, SignatureUpdateInterval
Let’s also check the event log ID 5007 related to MS Defender Antivirus update channel changes. You can refer to the following text and screenshot to get more details.
Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: Default\PlatformRing = 0x0
New value: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager\PlatformRing = 0x3
Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: Default\EngineRing = 0x0
New value: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager\EngineRing = 0x3
Author
About Author – Jitesh, Microsoft MVP, has over six years of working experience in the IT Industry. He writes and shares his experiences related to Microsoft device management technologies and IT Infrastructure management. His primary focus is Windows 10/11 Deployment solution with Configuration Manager, Microsoft Deployment Toolkit (MDT), and Microsoft Intune.
Hi,
Can you please explain how frequently the defender gets updates if this policy is not configured.
And by default what source it selects to downland updates.