Manage event-based forced updates
Applies to:
Microsoft Defender for Business
Microsoft Defender Antivirus
Platforms
- Windows
Microsoft Defender Antivirus allows you to determine if updates should (or shouldn't) occur after certain events, such as at startup or after receiving specific reports from the cloud-delivered protection service.
You can use Microsoft Defender for Endpoint Security Settings Management, Microsoft Intune, Microsoft Configuration Manager, Group Policy, PowerShell cmdlets, and WMI to force Microsoft Defender Antivirus to check and download protection updates before running a scheduled scan.
Use Microsoft Defender for Endpoint Security Settings Management to check for protection updates before running a scan
On your Microsoft Defender for Endpoint console (https://security.microsoft.com), go to Endpoints > Configuration management > Endpoint security policies > Create new policy.
- In the Platform list, select Windows 10, Windows 11, and Windows Server.
- In the Select Templates list, select Microsoft Defender Antivirus.
Fill in the name and description, and then select Next>
Go to the Scheduled scans section and set Check For Signatures Before Running Scan to Enabled.
Deploy the updated policy as usual.
In the Microsoft Intune admin center, go to Endpoints > Configuration management > Endpoint security policies, and then select Create new policy.
- In the Platform list, select Windows 10, Windows 11, and Windows Server.
- In the Select Templates list, select Microsoft Defender Antivirus.
Fill in the name and description, and then select Next.
Go to the Scheduled scans section, and set Check For Signatures Before Running Scan to Enabled.
Save and deploy the policy.
On your Microsoft Configuration Manager console, open the antimalware policy you want to change (select Assets and Compliance in the navigation pane, then expand the tree to Overview > Endpoint Protection > Antimalware Policies).
Go to the Scheduled scans section and set Check for the latest security intelligence updates before running a scan to Yes.
Select OK.
On your Group Policy management machine, open the Group Policy Management Console.
Right-click the Group Policy Object you want to configure, and then select Edit.
Using the Group Policy Management Editor go to Computer configuration.
Select Policies then Administrative templates.
Expand the tree to Windows components > Microsoft Defender Antivirus > Scan.
Double-click Check for the latest virus and spyware definitions before running a scheduled scan and set the option to Enabled.
Select OK.
Use the following cmdlets:
Set-MpPreference -CheckForSignaturesBeforeRunningScan
For more information, see Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus and Defender Antivirus cmdlets.
Use the Set method of the MSFT_MpPreference class for the following properties:
CheckForSignaturesBeforeRunningScan
For more information, see Windows Defender WMIv2 APIs.
You can use Group Policy to force Microsoft Defender Antivirus to check and download protection updates when the machine is started.
On your Group Policy management computer, open the Group Policy Management Console, right-click the Group Policy Object you want to configure and select Edit.
Using the Group Policy Management Editor go to Computer configuration.
Select Policies then Administrative templates.
Expand the tree to Windows components > Microsoft Defender Antivirus > Security Intelligence Updates.
Double-click Check for the latest virus and spyware definitions on startup and set the option to Enabled.
Select OK.
You can also use Group Policy, PowerShell, or WMI to configure Microsoft Defender Antivirus to check for updates at startup even when it isn't running.
On your Group Policy management machine, open the Group Policy Management Console, right-click the Group Policy Object you want to configure and select Edit.
Using the Group Policy Management Editor, go to Computer configuration.
Select Policies then Administrative templates.
Expand the tree to Windows components > Microsoft Defender Antivirus > Security Intelligence Updates.
Double-click Initiate security intelligence update on startup and set the option to Enabled.
Select OK.
Use the following cmdlets:
Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine
For more information, see Use PowerShell cmdlets to manage Microsoft Defender Antivirus and Defender Antivirus cmdlets for more information on how to use PowerShell with Microsoft Defender Antivirus.
Use Windows Management Instruction (WMI) to download updates when Microsoft Defender Antivirus is not present
Use the Set method of the MSFT_MpPreference class for the following properties:
SignatureDisableUpdateOnStartupWithoutEngine
For more information, see Windows Defender WMIv2 APIs.
Microsoft Defender Antivirus can make changes to its protection based on cloud-delivered protection. Such changes can occur outside of normal or scheduled protection updates.
If you have enabled cloud-delivered protection, Microsoft Defender Antivirus sends files it's suspicious about to the Windows Defender cloud. If the cloud service reports that the file is malicious, and the file is detected in a recent protection update, you can use Group Policy to configure Microsoft Defender Antivirus to automatically receive that protection update. Other important protection updates can also be applied.
On your Group Policy management machine, open the Group Policy Management Console, right-click the Group Policy Object you want to configure and select Edit.
Using the Group Policy Management Editor go to Computer configuration.
Select Policies then Administrative templates.
Expand the tree to Windows components > Microsoft Defender Antivirus > Security Intelligence Updates.
Double-click Allow real-time security intelligence updates based on reports to Microsoft MAPS and set the option to Enabled. Then select OK.
Allow notifications to disable definitions-based reports to Microsoft MAPS and set the option to Enabled. Then select OK.
Note
Allow notifications to disable definitions based reports enables Microsoft MAPS to disable those definitions known to cause false-positive reports. You must configure your computer to join Microsoft MAPS for this function to work.
Tip
If you're looking for Antivirus related information for other platforms, see:
- Set preferences for Microsoft Defender for Endpoint on macOS
- Microsoft Defender for Endpoint on Mac
- macOS Antivirus policy settings for Microsoft Defender Antivirus for Intune
- Set preferences for Microsoft Defender for Endpoint on Linux
- Microsoft Defender for Endpoint on Linux
- Configure Defender for Endpoint on Android features
- Configure Microsoft Defender for Endpoint on iOS features
- Deploy Microsoft Defender Antivirus
- Manage Microsoft Defender Antivirus updates and apply baselines
- Manage when protection updates should be downloaded and applied
- Manage updates for endpoints that are out of date
- Manage updates for mobile devices and virtual machines (VMs)
- Microsoft Defender Antivirus in Windows 10
Tip
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.