This post helps to enable Microsoft Defender for Endpoint Updates patching using SCCM & WSUS. Microsoft recently added a new product category to WSUS, allowing on-prem servers to get MS Defender for Endpoint patches for EDR sensor.
You can use SCCM to onboard endpoints to the MS Defender for Endpoint (MDE) service. There are several options you can use to onboard devices using SCCM. Tenant attach (aka Cloud Attach) is one of the options for onboarding servers into MS Defender for Endpoint.
Defender for Endpoint update for EDR Sensor updates is made available in WSUS. When the Windows devices are managed via SCCM or WSUS, you can enable Sync Defender for Endpoint Updates and start deploying patches.
The SCCM can patch both Windows client operating system versions, such as Windows 11, and server OSes, such as Server 2022. It’s very interesting to see that Microsoft also includes new cloud products in the WSUS product category.
New WSUS Product Category MS Defender for Endpoint
Microsoft introduced a new WSUS Product Category Microsoft Defender for Endpoint (MDE). The user 0daydorpher on Twitter noticed this recently. You can easily patch MDE update for the EDR Sensor update with this new Defender product category in WSUS.
MS Defender for Endpoint is available in two plans, Defender for Endpoint Plan 1 and Plan 2. A new Microsoft Defender Vulnerability Management add-on is now available for Plan 2. MS Defender for Endpoint (MDE) is an enterprise endpoint security platform designed to help enterprises with the following:
- Networks prevent
- Respond to advanced threats
Enable Microsoft Defender for Endpoint Updates Patching using SCCM and WSUS
Let’s understand how to enable the patching for MDE Updates using SCCM and WSUS. You need to follow the steps to enable the product category for Defender for Endpoint from the Software Update point component properties window.
- Launch the SCCM console and Navigate to \Administration\Overview\Site Configuration\Sites.
- Select the primary server and click on Configure Site Component.
- Select Software Update Point from the drop-down menu.
- From Software Update point component properties – select the Products tab.
- Scroll down to the Windows product listing or Search for the product “Microsoft Defender for Endpoint.”
- Select product category Microsoft Defender for Endpoint.
- Click OK to continue.
Initiate Manual WSUS Sync to get Defender for Endpoint EDR Sensor Updates
It’s time to initiate the manual WSUS Sync to get Defender for Endpoint EDR Sensor updates or patches into SCCM or WSUS. You can use the following method to initiate the manual WSUS sync using Synchronize Software Updates option.
- You can navigate to Software Library\Overview\Software Updates\All Software Updates
- Select on Synchronize Software Updates option.
- Click OK to start the manual WSUS sync.
You can refer to WSyncmgr.log (SCCM server logs) to get more details on the sync and the product selection. You can verify the product(s) selected for WSUS Sync. The product Microsoft Defender for Endpoint is added to the list of products that are already getting synced.
Requested categories: Product=Microsoft Defender for Endpoint
You can check whether the KB5005292 metadata is also getting synced to WSUS DB from the Windows Update service. The following are some parts of WSyncMgr.log. The successful WSUS sync completion message is also there in this log file, along with Source Content Version details.
Synchronizing update d8d0bc51-69d7-4dc1-b5df-a23a795dc34f - Update for Microsoft Defender for Endpoint - KB5005292 (Version 10.8049.22439.1084) Synchronizing update daf78164-6778-4f56-8e18-5c893d24df2d - Update for Microsoft Defender for Endpoint - KB5005292 (Version 10.8049.22439.1084) Synchronizing update b953bcf3-ed31-4066-93ed-d82a4f42aca0 - Update for Microsoft Defender for Endpoint - KB5005292 (Version 10.8049.22439.1084) sync: SMS synchronizing updates, processed 4202 out of 4202 items (100%) Sync succeeded. Setting sync alert to canceled state on site MEM Updated 18 items in SMS database, new update source content version is 122
Once the manual WSUS sync is completed, you can check the All Software Updates node in the Admin console and filter it with Product, as shown in the below screenshot.
- Navigate to \Software Library\Overview\Software Updates\All Software Updates
- Click on Add Criteria option on the far end of the search bar.
- Select the Product option from the drop-down list and Click OK.
The software updates section has an additional filtering option called Products now. You can select the “Microsoft Defender for Endpoint” from the drop-down list of products.
- Click the Search button to show the filtered view of updates or patches only for the Defender for Endpoint product.
|Title of the Patch||KB Article ID||Date Released or Revised|
|Update for Microsoft Defender for Endpoint – KB5005292 (Version 10.8049.22439.1084)||5005292||08-02-2022 08:45|
|Update for Microsoft Defender for Endpoint – KB5005292 (Version 10.8049.22439.1084)||5005292||7/31/2022 7:50:00 AM|
|Update for Microsoft Defender for Endpoint – KB5005292 (Version 10.8049.22439.1084)||5005292||7/24/2022 7:18:00 AM|
|Update for Microsoft Defender for Endpoint – KB5005292 (Version 10.8049.22439.1084)||5005292||7/21/2022 11:50:00 AM|
You can follow the standard SCCM patch deployment process to deploy Microsoft Defender for Endpoint EDR sensor patches to Windows Servers. More details – SCCM Patch Software Update Deployment Process Guide.
Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.