Microsoft Defender Antivirus ring deployment using Intune and direct internet access for Microsoft Update
Applies to:
- Microsoft Defender for Endpoint Plan 2
- Microsoft Defender XDR
- Microsoft Defender Antivirus
Platforms
- Windows
- Windows Server
Want to experience Microsoft Defender for Endpoint? Sign up for a free trial.
Microsoft Defender for Endpoint is an enterprise endpoint security platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats.
Tip
Microsoft Defender for Endpoint is available in two plans, Defender for Endpoint Plan 1 and Plan 2. A new Microsoft Defender Vulnerability Management add-on is now available for Plan 2.
Setting up the pilot environment
This section describes the process for setting up the pilot UAT / Test / QA environment.
On about 10-500* Windows and/or Windows Server systems, depending on how many total systems that you all have:
In the Intune portal https://endpoint.microsoft.com, create or append to your Microsoft Defender Antivirus policy the following setting: For example, your pilot policy named MDAV_Settings_Pilot. If you have a Citrix environment, include at least one Citrix VM (non-persistent and/or persistent).
Note
Security intelligence update (SIU) is equivelant to signature updates, which is the same as definition updates.
Recommended settings are as follows:
| Feature | Recommendation |
|---|---|
| Engine Updates Channel | Beta Channel |
| Platform Updates Channel | Beta Channel |
| Security Intelligence Updates Channel | Current Channel (Staged) |
References
- Antivirus profiles - Devices managed by Microsoft Intune
- Use Endpoint security Antivirus policy to manage Microsoft Defender update behavior
Setting up the Production environment
In the Intune portal https://endpoint.microsoft.com, create or append to your Microsoft Defender Antivirus policy using the following setting: For example, your production policy named MDAV_Settings_Production.
| Feature | Recommendation | Comments |
|---|---|---|
| Engine Updates Channel | Critical – Time delay | It's delayed by two days. |
| Platform Updates Channel | Critical – Time delay | It's delayed by two days. |
| Security Intelligence Updates Channel | Current Channel (Broad) | This configuration provides you with 3 hours of time to find an FP and prevent the production systems from getting an incompatible signature update. |
If you encounter problems
If you encounter problems with your deployment, change the source of the Microsoft Defender Antivirus updates:
In the Intune portal https://endpoint.microsoft.com, go to Endpoint Security, select Antivirus, and then find your Intune production policy (for example, MDAV_Settings_Production), and then, in Configuration settings, select Edit.
Change the entry to FileShares. This change is shown in the following figure.
What this change does
It forces Microsoft Defender Antivirus to look for the Security Intelligence Update, Engine Update or Platform Update from a file share that doesn't exist.
How long does it take for the Intune policy to refresh?
If you update a policy, it's within a few minutes (3-5 minutes) via WNS, as long the WNS URLs' are open.
Reference: Intune actions that immediately send a notification to a device
After the issue is resolved, set the "Signature Update Fallback Order" back to the original setting"
InternalDefinitionUpdateServder|MicrosoftUpdateServer|MMPC|FileShare
See also
Feedback
Submit and view feedback for