Windows Defender definition updates via SCCM

David Moon 581 Reputation points
2020-09-09T01:49:59.39+00:00

Hi All

Lets say i want to have the defender definitions updated every 6 hours using SCCM.
In SCCM, i have an antimalware policy set for the client to check for updates every 6 hours. Also the source has been set for Config Manager. This is then deployed to the appropriate collection.

Firstly, what does this actually mean? Does this mean, the client actually checks with SCCM for new definition every 6 hours? How does this actually work?

Anyway, i go ahead and setup a software update synch to happen every six hours with Microsoft Updates. The correct product and classifications are configured.
Then ADR is setup to run every 6 hours as well, to pick up the defender related products.
SUP is now getting populated with new updates every 6 hours. SUP is deployed to the appropriate collection.

Now, back to my first question. When will my client get the new definition installed from SCCM? Does it use the Antimalware policy to check every 6 hours and install?
OR, does it rely on the Software Updates SCAN & EVAL schedule... which is normally defaulted to run every 7 days. If so, then it really should be installing the new definitions every 7 days.

If someone can clarify how the client actually gets the def's installed from SCCM, would be much appreciated.

Thanks, DM.

Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,924 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Jason Sandys 31,301 Reputation points Microsoft Employee
    2020-09-09T20:58:35.147+00:00

    Does this mean, the client actually checks with SCCM for new definition every 6 hours?

    That depends. The Check for Endpoint Protection security intelligence settings only have value when using a source other than ConfigMgr.

    If ConfigMgr is set as the source, then definitions are delivered to clients using update deployments created by your ADR(s) just like all other updates and thus follow the schedule define in these update deployments.

    Does it use the Antimalware policy to check every 6 hours and install? ... OR, does it rely on the Software Updates SCAN & EVAL schedule

    Neither. As noted, the 6 hours in the policy is only when non-ConfigMgr sources are configured. As for the update scan and eval cycles, these do not trigger update installation as that's not how updates work. Whatever deadline is configured in the update deployment is when the updates, definitions in this case, are installed.

    1 person found this answer helpful.
    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.