S
Stefan Röll
Hello everyone!
I'm Stefan Röll, Cloud Solution Architect at Microsoft Germany for Microsoft Intune and Configuration Manager.
Here is Part 2 of my Blog Defender Definition Updates with ConfigMgr - Part 1 - Learnings from the Field
Currently Defender Definition Updates are called Security Intelligence Update for Windows Defender Antivirus. To keep it consistent with Part 1 of my Blog, I will keep calling them Definition Updates – The updates that are released multiple times per day.
Check Settings of your Software Update Point
In the ConfigMgr Console go to Administration => Site Configuration => Sites
Select your Site and from the Ribbon menu select Configure Site Components => Software Update Point
Under Classifications ensure that Definition Updates and Updates are selected.
Under Products ensure that Microsoft Defender Antivirus is selected.
Select the WSUS Maintenance Tab and ensure that all three checkboxes are enabled:
Select the Sync Schedule tab and ensure that your sync schedule is set to at least once a day. However, I would not recommend setting the sync to occur more often than every eight hours.
Remove existing ADRs etc.
If you have existing Automatic Deployment Rules (ADRs), Software Update Groups and/or Deployment Packages, remove them to avoid conflicts.
Configure WSUS
On your Software Update Point (SUP) open the Update Services MMC
Go to Options and select Automatic Approvals
Click New Rule and create a new Rule with the following settings:
When an update is Definition Updates
When an update is in Microsoft Defender Antivirus
Approve the Update for all Computers
Give it a name and click OK
In the Automatic Approvals Window, click on the Advanced tab and ensure that both checkboxes under Revisions to Updates are enabled.
Click OK in the Automatic Approvals Window to save the changes.
WSUS Content Cleanup
Now Defender Definition Updates will be stored on your SUP. As there is no automatic cleanup for the downloaded files, you should implement a cleanup method. If you don´t do it, you will quickly run out of disk space on your SUP!
The cleanup can be started with the following command. I would recommend running it as Scheduled Task once per day:
$WSUSServer = "WSUS-Server-Name"
$WSUSPort = "8531"
Get-WsusServer $WSUSServer -PortNumber $WSUSPort -UseSSL | Invoke-WsusServerCleanup -CleanupUnneededContentFiles -ErrorAction Continue
LEDBAT (optional)
As your clients will download the content for Definition Updates over your SUP and not Distribution Points (DPs) anymore, you might be worried about the traffic from your SUP to the clients.
If that´s the case, you can just enable LEDBAT for your SUP and this will handle the download speed automatically.
To enable it, go to Administration => Site Configuration => Servers and Site System Roles and select your SUP. Right click on Software update point and enable Adjust the download speed to use the unused network bandwidth (Windows LEDBAT)
Configure Source of Definition Updates
Now you can configure Defender Antivirus to scan for Definition Updates on your SUP.
Go to Assets and Compliance => Endpoint Protection => Antimalware Policies and select your Policy.
In the Security Intelligence updates section, click on Set Source
Enable Updates distributed from WSUS and move it to the top of the list. If you want, you can also enable Updates distributed from Microsoft Update, so that clients with internet access can fallback to this source.
Deploy platform update 4.18.2001.10 manually
With the method described, you will deploy not only Defender Definition Updates, but also Defender Platform Updates which bring monthly bugfixes and new features.
However, there is one older Platform Update that you need to deploy manually, as it can request a reboot and is required to get newer versions installed.
Testing
If you have configured everything as described above, you can start testing.
First, start a new Software Update Sync, by clicking on Software Library => Software Updates => All Software Updates => right click => Synchronize Software Update
Open the wsyncmgr.log and wait for the WSUS sync to complete:
Open the WSUS MMC and wait for the download to complete:
On a client you can verify that the correct updates sources are set in the following registry key:
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\signature updates
Now you can run the following command line to update your Defender Definitions:
"C:\Program Files\Windows Defender\MpCmdRun.exe" -SignatureUpdate
Check for details in the MpCmdRun.log in your %Temp% Directory:
Stefan Röll
Cloud Solution Architect – Microsoft Germany
Resources:
Defender Definition Updates with ConfigMgr - Part 1 - Learnings from the Field
Defender Definition Updates with ConfigMgr - Part 1 - Learnings from the Field
Enable Endpoint Protection malware definitions to download from WSUS for ConfigMgr
Endpoint Protection malware definitions from WSUS - Configuration Manager
Microsoft Defender Antivirus security intelligence and product updates
Microsoft Defender Antivirus security intelligence and product updates
Microsoft Defender Antivirus security intelligence and product updates
Microsoft Defender Antivirus security intelligence and product updates
Disclaimer:
This posting is provided "AS IS" with no warranties and confers no rights.
The sample scripts are not supported under any Microsoft standard support program or service. The sample scripts are provided AS IS without warranty of any kind. Microsoft further disclaims all implied warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of the sample scripts and documentation remains with you. In no event shall Microsoft, its authors, or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample scripts or documentation, even if Microsoft has been advised of the possibility of such damages.
Continue reading...
I'm Stefan Röll, Cloud Solution Architect at Microsoft Germany for Microsoft Intune and Configuration Manager.
Here is Part 2 of my Blog Defender Definition Updates with ConfigMgr - Part 1 - Learnings from the Field
Currently Defender Definition Updates are called Security Intelligence Update for Windows Defender Antivirus. To keep it consistent with Part 1 of my Blog, I will keep calling them Definition Updates – The updates that are released multiple times per day.
Check Settings of your Software Update Point
In the ConfigMgr Console go to Administration => Site Configuration => Sites
Select your Site and from the Ribbon menu select Configure Site Components => Software Update Point
Under Classifications ensure that Definition Updates and Updates are selected.
Under Products ensure that Microsoft Defender Antivirus is selected.
Select the WSUS Maintenance Tab and ensure that all three checkboxes are enabled:
Select the Sync Schedule tab and ensure that your sync schedule is set to at least once a day. However, I would not recommend setting the sync to occur more often than every eight hours.
Remove existing ADRs etc.
If you have existing Automatic Deployment Rules (ADRs), Software Update Groups and/or Deployment Packages, remove them to avoid conflicts.
Configure WSUS
On your Software Update Point (SUP) open the Update Services MMC
Go to Options and select Automatic Approvals
Click New Rule and create a new Rule with the following settings:
When an update is Definition Updates
When an update is in Microsoft Defender Antivirus
Approve the Update for all Computers
Give it a name and click OK
In the Automatic Approvals Window, click on the Advanced tab and ensure that both checkboxes under Revisions to Updates are enabled.
Click OK in the Automatic Approvals Window to save the changes.
WSUS Content Cleanup
Now Defender Definition Updates will be stored on your SUP. As there is no automatic cleanup for the downloaded files, you should implement a cleanup method. If you don´t do it, you will quickly run out of disk space on your SUP!
The cleanup can be started with the following command. I would recommend running it as Scheduled Task once per day:
$WSUSServer = "WSUS-Server-Name"
$WSUSPort = "8531"
Get-WsusServer $WSUSServer -PortNumber $WSUSPort -UseSSL | Invoke-WsusServerCleanup -CleanupUnneededContentFiles -ErrorAction Continue
LEDBAT (optional)
As your clients will download the content for Definition Updates over your SUP and not Distribution Points (DPs) anymore, you might be worried about the traffic from your SUP to the clients.
If that´s the case, you can just enable LEDBAT for your SUP and this will handle the download speed automatically.
To enable it, go to Administration => Site Configuration => Servers and Site System Roles and select your SUP. Right click on Software update point and enable Adjust the download speed to use the unused network bandwidth (Windows LEDBAT)
Configure Source of Definition Updates
Now you can configure Defender Antivirus to scan for Definition Updates on your SUP.
Go to Assets and Compliance => Endpoint Protection => Antimalware Policies and select your Policy.
In the Security Intelligence updates section, click on Set Source
Enable Updates distributed from WSUS and move it to the top of the list. If you want, you can also enable Updates distributed from Microsoft Update, so that clients with internet access can fallback to this source.
Deploy platform update 4.18.2001.10 manually
With the method described, you will deploy not only Defender Definition Updates, but also Defender Platform Updates which bring monthly bugfixes and new features.
However, there is one older Platform Update that you need to deploy manually, as it can request a reboot and is required to get newer versions installed.
Testing
If you have configured everything as described above, you can start testing.
First, start a new Software Update Sync, by clicking on Software Library => Software Updates => All Software Updates => right click => Synchronize Software Update
Open the wsyncmgr.log and wait for the WSUS sync to complete:
Open the WSUS MMC and wait for the download to complete:
On a client you can verify that the correct updates sources are set in the following registry key:
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\signature updates
Now you can run the following command line to update your Defender Definitions:
"C:\Program Files\Windows Defender\MpCmdRun.exe" -SignatureUpdate
Check for details in the MpCmdRun.log in your %Temp% Directory:
Stefan Röll
Cloud Solution Architect – Microsoft Germany
Resources:
Defender Definition Updates with ConfigMgr - Part 1 - Learnings from the Field
Defender Definition Updates with ConfigMgr - Part 1 - Learnings from the Field
Enable Endpoint Protection malware definitions to download from WSUS for ConfigMgr
Endpoint Protection malware definitions from WSUS - Configuration Manager
Microsoft Defender Antivirus security intelligence and product updates
Microsoft Defender Antivirus security intelligence and product updates
Microsoft Defender Antivirus security intelligence and product updates
Microsoft Defender Antivirus security intelligence and product updates
Disclaimer:
This posting is provided "AS IS" with no warranties and confers no rights.
The sample scripts are not supported under any Microsoft standard support program or service. The sample scripts are provided AS IS without warranty of any kind. Microsoft further disclaims all implied warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of the sample scripts and documentation remains with you. In no event shall Microsoft, its authors, or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample scripts or documentation, even if Microsoft has been advised of the possibility of such damages.
Continue reading...