Edit

Microsoft Defender Antivirus production ring deployment using Group Policy and network share

  • Article

Applies to:

Platforms

  • Windows
  • Windows Server

Want to experience Microsoft Defender for Endpoint? Sign up for a free trial.

Microsoft Defender for Endpoint is an enterprise endpoint security platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats.

Tip

Microsoft Defender for Endpoint is available in two plans, Defender for Endpoint Plan 1 and Plan 2. A new Microsoft Defender Vulnerability Management add-on is now available for Plan 2.

For more information on the features and capabilities included in each plan, including the new Defender Vulnerability Management add-on, see Compare Microsoft Defender for Endpoint plans.

Introduction

This article describes how to deploy Microsoft Defender Antivirus in rings using Group Policy and Network share (also known as UNC path, SMB, CIFS).

Prerequisites

Review the read me article at Readme https://github.com/microsoft/defender-updatecontrols/blob/main/README.md

  1. Download the latest Windows Defender .admx and .adml

  2. Copy the latest .admx and .adml to the Domain Controller Central Store.

  3. Create a UNC share for security intelligence and platform updates

Setting up the pilot environment

This section describes the process for setting up the pilot UAT / Test / QA environment. On about 10-500* Windows and/or Windows Server systems, depending on how many total systems that you all have.

Screenshot that shows an example Microsoft Defender Antivirus ring deployment schedule for Group Policy and network share environments.

Note

Security intelligence update (SIU) is equivelant to signature updates, which is the same as definition updates.

Create a UNC share for security intelligence and platform updates

Set up a network file share (UNC/mapped drive) to download security intelligence and platform updates from the MMPC site by using a scheduled task.

  1. On the system on which you want to provision the share and download the updates, create a folder to which you will save the script.

    Start, CMD (Run as admin)
MD C:\Tool\PS-Scripts\

  2. Create the folder to which you will save the signature updates.

    MD C:\Temp\TempSigs\x64
MD C:\Temp\TempSigs\x86

  3. Set up a PowerShell script, CopySignatures.ps1

    Copy-Item -Path “\SourceServer\Sourcefolder” -Destination “\TargetServer\Targetfolder”

  4. Use the command line to set up the scheduled task.

    Note

    There are two types of updates: full and delta.

    • For x64 delta:

      Powershell (Run as admin)

C:\Tool\PS-Scripts\

".\SignatureDownloadCustomTask.ps1 -action create -arch x64 -isDelta $true -destDir C:\Temp\TempSigs\x64 -scriptPath C:\Tool\PS-Scripts\SignatureDownloadCustomTask.ps1 -daysInterval 1"

    • For x64 full:

      Powershell (Run as admin)

C:\Tool\PS-Scripts\

".\SignatureDownloadCustomTask.ps1 -action create -arch x64 -isDelta $false -destDir C:\Temp\TempSigs\x64 -scriptPath C:\Tool\PS-Scripts\SignatureDownloadCustomTask.ps1 -daysInterval 1"

    • For x86 delta:

      Powershell (Run as admin)

C:\Tool\PS-Scripts\

".\SignatureDownloadCustomTask.ps1 -action create -arch x86 -isDelta $true -destDir C:\Temp\TempSigs\x86 -scriptPath C:\Tool\PS-Scripts\SignatureDownloadCustomTask.ps1 -daysInterval 1"

    • For x86 full:

      Powershell (Run as admin)

C:\Tool\PS-Scripts\

".\SignatureDownloadCustomTask.ps1 -action create -arch x86 -isDelta $false -destDir C:\Temp\TempSigs\x86 -scriptPath C:\Tool\PS-Scripts\SignatureDownloadCustomTask.ps1 -daysInterval 1"

    Note

    When the scheduled tasks are created, you can find these in the Task Scheduler under Microsoft\Windows\Windows Defender.

  5. Run each task manually and verify that you have data (mpam-d.exe, mpam-fe.exe, and nis_full.exe) in the following folders (you might have chosen different locations):

    • C:\Temp\TempSigs\x86
    • C:\Temp\TempSigs\x64

    If the scheduled task fails, run the following commands:

    C:\windows\system32\windowspowershell\v1.0\powershell.exe -NoProfile -executionpolicy allsigned -command "&\"C:\Tool\PS-Scripts\SignatureDownloadCustomTask.ps1\" -action run -arch x64 -isDelta $False -destDir C:\Temp\TempSigs\x64"

C:\windows\system32\windowspowershell\v1.0\powershell.exe -NoProfile -executionpolicy allsigned -command "&\"C:\Tool\PS-Scripts\SignatureDownloadCustomTask.ps1\" -action run -arch x64 -isDelta $True -destDir C:\Temp\TempSigs\x64"

C:\windows\system32\windowspowershell\v1.0\powershell.exe -NoProfile -executionpolicy allsigned -command "&\"C:\Tool\PS-Scripts\SignatureDownloadCustomTask.ps1\" -action run -arch x86 -isDelta $False -destDir C:\Temp\TempSigs\x86"

C:\windows\system32\windowspowershell\v1.0\powershell.exe -NoProfile -executionpolicy allsigned -command "&\"C:\Tool\PS-Scripts\SignatureDownloadCustomTask.ps1\" -action run -arch x86 -isDelta $True -destDir C:\Temp\TempSigs\x86"

    Note

    Issues could also be due to execution policy.

  6. Create a share pointing to C:\Temp\TempSigs (e.g., \\server\updates).

    Note

    At a minimum, authenticated users must have "Read" access. This requirement also applies to domain computers, the share, and NTFS (security).

  7. Set the share location in the policy to the share.

    Note

    Do not add the x64 (or x86) folder in the path. The mpcmdrun.exe process adds it automatically.

Setting up the Pilot (UAT/Test/QA) environment

This section describes the process for setting up the pilot UAT / Test / QA environment, on about 10-500 Windows and/or Windows Server systems, depending on how many total systems that you all have.

Note

If you have a Citrix enviroment, include at least 1 Citrix VM (non-persistent) and/or (persistent)

In Group Policy Management Console (GPMC, GPMC.msc), create or append to your Microsoft Defender Antivirus policy.

  1. Edit your Microsoft Defender Antivirus policy. For example, edit MDAV_Settings_Pilot. Go to Computer Configuration > Policies > Administrative Templates > Windows Components > Microsoft Defender Antivirus. There are three related options:

    Feature Recommendation for the pilot systems
    Select the channel for Microsoft Defender daily Security Intelligence updates Current Channel (Staged)
    Select the channel for Microsoft Defender monthly Engine updates Beta Channel
    Select the channel for Microsoft Defender monthly Platform updates Beta Channel

    The three options are shown in the following figure.

    Screenshot that shows a screen capture of the pilot Computer Configuration > Policies > Administrative Templates > Windows Components > Microsoft Defender Antivirus update channels.

    For more information, see Manage the gradual rollout process for Microsoft Defender updates

  2. Go to Computer Configuration > Policies > Administrative Templates > Windows Components > Microsoft Defender Antivirus.

  3. For intelligence updates, double-click Select the channel for Microsoft Defender monthly intelligence updates.

    Screenshot that shows a screen capture of the Select the channel for Microsoft Defender monthly intelligence updates page with Enabled and Current Channel (Staged) selected.

  4. On the Select the channel for Microsoft Defender monthly intelligence updates page, select Enabled, and in Options, select Current Channel (Staged).

  5. Select Apply, and then select OK.

  6. Go to Computer Configuration > Policies > Administrative Templates > Windows Components > Microsoft Defender Antivirus.

  7. For engine updates, double-click Select the channel for Microsoft Defender monthly engine updates.

  8. On the Select the channel for Microsoft Defender monthly Platform updates page, select Enabled, and in Options, select Beta Channel.

  9. Select Apply, and then select OK.

  10. For platform updates, double-click Select the channel for Microsoft Defender monthly Platform updates.

  11. On the Select the channel for Microsoft Defender monthly Platform updates page, select Enabled, and in Options, select Beta Channel. These two settings are shown in the following figure:

  12. Select Apply, and then select OK.

Setting up the production environment

  1. In Group Policy Management Console (GPMC, GPMC.msc), go to Computer Configuration > Policies > Administrative Templates > Windows Components > Microsoft Defender Antivirus.

    Screenshot that shows a screen capture of the production Computer Configuration > Policies > Administrative Templates > Windows Components > Microsoft Defender Antivirus update channels.

  2. Set the three policies as follows:

    Feature Recommendation for the production systems Remarks
    Select the channel for Microsoft Defender daily Security Intelligence updates Current Channel (Broad) This setting provides you with 3 hours of time to find an FP and prevent the production systems from getting an incompatible signature update.
    Select the channel for Microsoft Defender monthly Engine updates Critical – Time delay Updates are delayed by two days.
    Select the channel for Microsoft Defender monthly Platform updates Critical – Time delay Updates are delayed by two days.

  3. For intelligence updates, double-click Select the channel for Microsoft Defender monthly intelligence updates.

  4. On the Select the channel for Microsoft Defender monthly intelligence updates page, select Enabled, and in Options, select Current Channel (Broad).

    Screenshot that shows a screen capture of the Select the channel for Microsoft Defender monthly intelligence updates page with Enabled and Current Channel (Staged) selected.

  5. Select Apply, and then select OK.

  6. For engine updates, double-click Select the channel for Microsoft Defender monthly engine updates.

  7. On the Select the channel for Microsoft Defender monthly Platform updates page, select Enabled, and in Options, select Critical – Time delay.

  8. Select Apply, and then select OK.

  9. For platform updates, double-click Select the channel for Microsoft Defender monthly Platform updates.

  10. On the Select the channel for Microsoft Defender monthly Platform updates page, select Enabled, and in Options, select Critical – Time delay.

  11. Select Apply, and then select OK.

If you encounter problems

If you encounter problems with your deployment, create or append your Microsoft Defender Antivirus policy:

  1. In Group Policy Management Console (GPMC, GPMC.msc), create or append to your Microsoft Defender Antivirus policy using the following setting:

    Go to Computer Configuration > Policies > Administrative Templates > Windows Components > Microsoft Defender Antivirus > (administrator-defined) PolicySettingName. For example, MDAV_Settings_Production, right-click, and then select Edit. Edit for MDAV_Settings_Production is shown in the following figure:

    Screenshot that shows a screen capture of the administrator-defined Microsoft Defender Antivirus policy Edit option.

  2. Select Define the order of sources for downloading security intelligence updates.

  3. Select the radio button named Enabled.

  4. Under Options:, change the entry to FileShares, select Apply, and then select OK. This change is shown in the following figure:

    Screenshot that shows a screen capture of the Define the order of sources for downloading security intelligence updates page.

  5. Select Define the order of sources for downloading security intelligence updates.

  6. Select the radio button named Disabled, select Apply, and then select OK. The disabled option is shown in the following figure:

    Screenshot that shows a screen capture of the Define the order of sources for downloading security intelligence updates page with Security Intelligence updates disabled.

  7. The change is active when Group Policy updates. There are two methods to refresh Group Policy:

    • From the command line, run the Group Policy update command. For example, run gpupdate / force. For more information, see gpupdate
    • Wait for Group Policy to automatically refresh. Group Policy refreshes every 90 minutes +/- 30 minutes.

    If you have multiple forests/domains, force replication or wait 10-15 minutes. Then force a Group Policy Update from the Group Policy Management Console.

    • Right-click on an organizational unit (OU) that contains the machines (for example, Desktops), select Group Policy Update. This UI command is the equivalent of doing a gpupdate.exe /force on every machine in that OU. The feature to force Group Policy to refresh is shown in the following figure:

      Screenshot that shows a screen capture of the Group Policy Management console, initiating a forced update.

  8. After the issue is resolved, set the Signature Update Fallback Order back to the original setting. InternalDefinitionUpdateServder|MicrosoftUpdateServer|MMPC|FileShare.

See also

Microsoft Defender Antivirus ring deployment overview