Редагувати

Поділитися через


Manage the gradual rollout process for Microsoft Defender updates

Applies to:

Platforms

  • Windows

It's important to ensure that client components are up to date to deliver critical protection capabilities and prevent attacks.

Capabilities are provided through several components:

Updates are released monthly using a gradual release process. This process helps to enable early failure detection to identify issues as they occur and address them quickly before a larger rollout.

Note

For more information on how to control daily security intelligence updates, see Schedule Microsoft Defender Antivirus protection updates. Updates ensure that next-generation protection can defend against new threats, even if cloud-delivered protection is not available to the endpoint.

Microsoft gradual rollout model

The following gradual rollout model is followed for monthly Defender updates:

  1. The first release goes out to Beta channel subscribers.

  2. After validation, feedback, and fixes, we start the gradual rollout process in a throttled way and to Preview channel subscribers first.

  3. We then proceed to release the update to the rest of the global population, scaling out from 10-100%.

Our engineers continuously monitor impact and escalate any issues to create a fix as needed.

How to customize your internal deployment process

If your machines are receiving Defender updates from Windows Update, the gradual rollout process can result in some of your devices receiving Defender updates sooner than others. The following section explains how to define a strategy that will allow automatic updates to flow differently to specific groups of devices by using update channel configuration.

Note

When planning for your own gradual release, please make sure to always have a selection of devices subscribed to the preview and staged channels. This will provide your organization as well as Microsoft the opportunity to prevent or find and fix issues specific to your environment.

For machines receiving updates through, for example, Windows Server Update Services (WSUS) or Microsoft Configuration Manager, more options are available to all Windows updates, including options for Microsoft Defender for Endpoint.

Update channels for monthly updates

You can assign a machine to an update channel to define the cadence in which a machine receives monthly engine and platform updates.

For more information on how to configure updates, see Create a custom gradual rollout process for Microsoft Defender updates.

The following update channels are available:

Channel name Description Application
Beta Channel - Prerelease Test updates before others Devices set to this channel are the first to receive new monthly updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. For use in test environments only.
Current Channel (Preview) Get Current Channel updates earlier during gradual release Devices set to this channel are offered updates earliest during the gradual release cycle. Suggested for pre-production/validation environments.
Current Channel (Staged) Get Current Channel updates later during gradual release Devices are offered updates later during the gradual release cycle. Suggested to apply to a small, representative part of your device population (~10%).
Current Channel (Broad) Get updates at the end of gradual release Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%).
Critical: Time Delay Delay Defender updates Devices are offered updates with a 48-hour delay. Best for datacenter machines that only receive limited updates. Suggested for critical environments only.
(default) If you disable or don't configure this policy, the device remains in Current Channel (Default): Stay up to date automatically during the gradual release cycle. This means Microsoft assigns a channel to the device. The channel selected by Microsoft might be one that receives updates early during the gradual release cycle, which isn't suitable for devices in a production or critical environment.

Update channels for security intelligence updates

You can also assign a machine to a channel to define the cadence in which it receives SIUs (formerly referred to as signature, definition, or daily updates). Unlike the monthly process, this gradual release cycle occurs multiple times a day.

Channel name Description Application
Current Channel (Staged) Same as Current Channel (Broad) Same as Current Channel (Broad).
Current Channel (Broad) Get updates at the end of gradual release Devices will be offered updates after the gradual release cycle. Suggested to apply to a broad set of devices in all populations, including production. Note: this setting applies to all Defender updates.
(default) If you disable or don't configure this policy, Microsoft will either assign the device to Current Channel (Broad) or a beta channel early in the gradual release cycle. The channel selected by Microsoft might be one that receives updates early during the gradual release cycle, which may not be suitable for devices in a production or critical environment.

Note

In case you wish to force an update to the newest signature instead of leveraging the time delay, you will need to remove this policy first.

Update guidance

In most cases, the recommended configuration when using Windows Update is to allow endpoints to receive and apply monthly Defender updates as they arrive. This option provides the best balance between protection and possible impact associated with the changes they can introduce.

For environments where there's a need for a more controlled gradual rollout of automatic Defender updates, consider an approach with deployment groups:

  1. Participate in the Windows Insider program or assign a group of devices to the Beta Channel.

  2. Designate a pilot group that opts in to Preview Channel, typically validation environments, to receive new updates early.

  3. Designate a group of machines that receive updates later during the gradual rollout from Staged channel. Typically, this group would be a representative ~10% of the population.

  4. Designate a group of machines that receive updates after the gradual release cycle completes. These are typically important production systems.

For the remainder of devices, the default setting is to receive new updates as they arrive during the Microsoft gradual rollout process and no further configuration is required.

Adopting this model:

  • Allows you to test early releases before they reach a production environment
  • Ensure the production environment still receives regular updates and ensure protection against critical threats.

Management tools

To create your own custom gradual rollout process for monthly updates, you can use the following tools:

  • Group policy
  • Microsoft Intune
  • PowerShell

For details on how to use these tools, see Create a custom gradual rollout process for Microsoft Defender updates.

Tip

Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.