Best Optimization for MDE Updates via MECM

Heimdallr 266 Reputation points
2023-09-25T10:18:50.92+00:00

Good Day,

I am trying to understand concept of MDE updates via MECM and how should I make this most efficient.

From what I understand on an example:

MECM is on top of WSUS, you set synchronization to one day. It contacts MS, gets updated information on new updates and if set so, downloads them. - So far so good.

MDE has at least few updates on daily basis.

It is recommended to use ADR for that, so I wonder - Does ADR if set to check per 4h, forces MECM to connect to Microsoft to check for these updates (if priority is set to: MECM>WSUS>WU>MMPC) and approve>download them?

or it uses only the data that is already downloaded from MS via above one day setting?

Can we force all MDE updates to check via MECM to verify if new updates are available, and then download them from MMPC/WU? or can we actually redirect this to use MMPC/WU if we unmark the priority of sources to not use MECM/WSUS?

What I am trying to achieve is to always be sure, that in huge infrastructure 100k+ devices, all devices will get their defender updates and definitions, but I am not sure what is the power of ADR and if these updates are separate from standard WSUS/MECM settings, so for example if above we got setting for daily scan, would that ADR do its own scan for that particular product and download it, but to reduce MECM database and network load, just make the devices self aware in best possible way, that new updates are available - here is your source in MS, not from some local DP

Thanks!

Microsoft 365
Microsoft 365
Formerly Office 365, is a line of subscription services offered by Microsoft which adds to and includes the Microsoft Office product line.
4,764 questions
Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,889 questions
Microsoft Configuration Manager
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. XinGuo-MSFT 17,551 Reputation points
    2023-09-26T09:23:54.01+00:00

    Hi,

    If you haven't seen it already, I recommend reading this post in the Microsoft Tech Community: Endpoint Protection Updates for Configuration Manager. It gives a good explanation of what the update source options actually do.

    It is recommended to use ADR for that, so I wonder - Does ADR if set to check per 4h, forces MECM to connect to Microsoft to check for these updates (if priority is set to: MECM>WSUS>WU>MMPC) and approve>download them?

    Yes, you can. However, remember that while frequent ADRs can help with timeliness, you should also consider the impact on network bandwidth and MECM server resources when configuring update schedules in a large-scale environment.

    Can we force all MDE updates to check via MECM to verify if new updates are available, and then download them from MMPC/WU? or can we actually redirect this to use MMPC/WU if we unmark the priority of sources to not use MECM/WSUS?

    No, there is no such method.

    here is your source in MS, not from some local DP.

    We can check "prefer cloud based source over on-promises source" option in the boundary group property to set the clients use the update source in MS, not from some local DP.

    image


  2. XinGuo-MSFT 17,551 Reputation points
    2023-09-28T08:15:00.69+00:00

    Hi,

    Does Maintenance windows affect these updates?

    Business Hours vs. Maintenance Windows with System Center 2012 Configuration Manager

    I am asking in context of having MDE Up to date as often as possible and I found out gpo named "Define the order of sources for downloading security intelligence updates"

    SUP and GPO cannot be used in parallel.

    enter image description here

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.