Microsoft Defender Antivirus production ring deployment using Group Policy and Microsoft Updates

Applies to:

• Microsoft Defender for Endpoint Plan 2
• Microsoft Defender XDR
• Microsoft Defender Antivirus

Platforms

• Windows
• Windows Server

Want to experience Microsoft Defender for Endpoint? Sign up for a free trial.

Microsoft Defender for Endpoint is an enterprise endpoint security platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats.

Tip

Microsoft Defender for Endpoint is available in two plans, Defender for Endpoint Plan 1 and Plan 2. A new Microsoft Defender Vulnerability Management add-on is now available for Plan 2.

Prerequisites

Review the read me article at Readme https://github.com/microsoft/defender-updatecontrols/blob/main/README.md

Download the latest Windows Defender .admx and .adml

• WindowsDefender.admx
• WindowsDefender.adml

Copy the latest .admx and .adml to the Domain Controller Central Store.

Setting up the Pilot (UAT/Test/QA) environment

This section describes the process for setting up the pilot UAT / Test / QA environment.

Note

Security intelligence update (SIU) is equivalent to signature updates, which is the same as definition updates.

On about 10-500 Windows and/or Windows Server systems, depending on how many total systems that you all have, perform the following tasks.

Note

If you have a Citrix environment, include at least 1 Citrix VM (non-persistent) and/or (persistent)

In Group Policy Management Console (GPMC, GPMC.msc), create or append to your Microsoft Defender Antivirus policy.

1. Edit your Microsoft Defender Antivirus policy. For example, edit MDAV_Settings_Pilot. Go to Computer Configuration > Policies > Administrative Templates > Windows Components > Microsoft Defender Antivirus. There are three related options:

   Feature	Recommendation for the pilot systems
   Select the channel for Microsoft Defender daily Security Intelligence updates	Current Channel (Staged)
   Select the channel for Microsoft Defender monthly Engine updates	Beta Channel
   Select the channel for Microsoft Defender monthly Platform updates	Beta Channel

   The three options are shown in the following figure.

   

   For more information, see Manage the gradual rollout process for Microsoft Defender updates

2. Go to Computer Configuration > Policies > Administrative Templates > Windows Components > Microsoft Defender Antivirus.

3. For intelligence updates, double-click Select the channel for Microsoft Defender monthly intelligence updates.

   

4. On the Select the channel for Microsoft Defender monthly intelligence updates page, select Enabled, and in Options, select Current Channel (Staged).

5. Select Apply, and then select OK.

6. Go to Computer Configuration > Policies > Administrative Templates > Windows Components > Microsoft Defender Antivirus.

7. For engine updates, double-click Select the channel for Microsoft Defender monthly engine updates.

8. On the Select the channel for Microsoft Defender monthly Platform updates page, select Enabled, and in Options, select Beta Channel.

9. Select Apply, and then select OK.

10. For platform updates, double-click Select the channel for Microsoft Defender monthly Platform updates.

11. On the Select the channel for Microsoft Defender monthly Platform updates page, select Enabled, and in Options, select Beta Channel. These two settings are shown in the following figure:

12. Select Apply, and then select OK.

Related articles

• Antivirus profiles - Devices managed by Microsoft Intune
• Use Endpoint security Antivirus policy to manage Microsoft Defender update behavior (Preview)
• Manage the gradual rollout process for Microsoft Defender updates

Setting up the production environment

1. In Group Policy Management Console (GPMC, GPMC.msc), go to Computer Configuration > Policies > Administrative Templates > Windows Components > Microsoft Defender Antivirus.

   

2. Set the three policies as follows:

   Feature	Recommendation for the production systems	Remarks
   Select the channel for Microsoft Defender daily Security Intelligence updates	Current Channel (Broad)	This setting provides you with 3 hours of time to find an FP and prevent the production systems from getting an incompatible signature update.
   Select the channel for Microsoft Defender monthly Engine updates	Critical – Time delay	Updates are delayed by two days.
   Select the channel for Microsoft Defender monthly Platform updates	Critical – Time delay	Updates are delayed by two days.

3. For intelligence updates, double-click Select the channel for Microsoft Defender monthly intelligence updates.

4. On the Select the channel for Microsoft Defender monthly intelligence updates page, select Enabled, and in Options, select Current Channel (Broad).

   

5. Select Apply, and then select OK.

6. For engine updates, double-click Select the channel for Microsoft Defender monthly engine updates.

7. On the Select the channel for Microsoft Defender monthly Platform updates page, select Enabled, and in Options, select Critical – Time delay.

8. Select Apply, and then select OK.

9. For platform updates, double-click Select the channel for Microsoft Defender monthly Platform updates.

10. On the Select the channel for Microsoft Defender monthly Platform updates page, select Enabled, and in Options, select Critical – Time delay.

11. Select Apply, and then select OK.

If you encounter problems

If you encounter problems with your deployment, create or append your Microsoft Defender Antivirus policy:

1. In Group Policy Management Console (GPMC, GPMC.msc), create or append to your Microsoft Defender Antivirus policy using the following setting:

   Go to Computer Configuration > Policies > Administrative Templates > Windows Components > Microsoft Defender Antivirus > (administrator-defined) PolicySettingName. For example, MDAV_Settings_Production, right-click, and then select Edit. Edit for MDAV_Settings_Production is shown in the following figure:

   

2. Select Define the order of sources for downloading security intelligence updates.

3. Select the radio button named Enabled.

4. Under Options:, change the entry to FileShares, select Apply, and then select OK. This change is shown in the following figure:

   

5. Select Define the order of sources for downloading security intelligence updates.

6. Select the radio button named Disabled, select Apply, and then select OK. The disabled option is shown in the following figure:

   

7. The change is active when Group Policy updates. There are two methods to refresh Group Policy:

   • From the command line, run the Group Policy update command. For example, run gpupdate / force. For more information, see gpupdate
   • Wait for Group Policy to automatically refresh. Group Policy refreshes every 90 minutes +/- 30 minutes.

   If you have multiple forests/domains, force replication or wait 10-15 minutes. Then force a Group Policy Update from the Group Policy Management Console.

   • Right-click on an organizational unit (OU) that contains the machines (for example, Desktops), select Group Policy Update. This UI command is the equivalent of doing a gpupdate.exe /force on every machine in that OU. The feature to force Group Policy to refresh is shown in the following figure:

     

8. After the issue is resolved, set the Signature Update Fallback Order back to the original setting. InternalDefinitionUpdateServder|MicrosoftUpdateServer|MMPC|FileShare.

See also

• Antivirus profiles - Devices managed by Microsoft Intune
• Use Endpoint security Antivirus policy to manage Microsoft Defender update behavior (Preview)
• Manage the gradual rollout process for Microsoft Defender updates
• Microsoft Defender Antivirus ring deployment overview