It is important to ensure that your security posture systems are up-to-date to be able to prevent attacks.
Microsoft Defender Antivirus and Defender for Endpoint includes several components which must be kept updated to protect us:
- Endpoint Detection & Response
- Next-generation protection with cloud-delivered protection
- Attack Surface Reduction
The updates come out in 2 release cycles: monthly engine/platform updates and daily security intelligence updates.
| Update type | Description | Release cycle | Deployment |
| Security intelligence updates | Contains new and updated malware detections. | Multiple times a day | Deployed using KB2267602 through the Microsoft update channels. |
| Engine updates | Contains update to the core detection engine | Monthly | Deployed as part of the security intelligence updates |
| Platform updates | Updates to the product itself. It can contain new features as well as fixes for existing ones. | Monthly | Deployed using KB4052623 through the Microsoft update channels. |
I will cover both how the process is and how to manage it with a gradual release process in this blog. We do this process to reduce risks while still getting computers updated as fast as possible.
Big thanks to Paul Huijbregts, Microsoft for helping with the insight and managing the ADMX files mentioned later in the blog. He is also author of several articles covering this, where I try to bring things together from various articles into this blog.
Big credits also to Cloudbrothers covering this topic earlier. I have used a few info from their great article. More info here
Understanding the Monthly engine/platform updates
In most cases, the recommended configuration when using Windows Update is to allow endpoints to receive and apply monthly Defender updates as they arrive. This provides the best balance between protection and possible impact associated with the changes they can introduce. But sometimes updates slips through causing issues (luckily this is very rare).
If you want to minimize the impact of issues, you can consider using a gradual (ring) rollout strategy provided by Microsoft. This process helps to enable early failure detection to catch impact as it occurs and address it quickly before a larger rollout; in short ‘minimizing risc of causing incompatibility.
You can think of the rollout as rings, where Microsoft will deploy to ring 0, ring 1, ring 2, etc.
The phases (or “rings”) are shown below:
- The first release goes out to Beta channel subscribers.
- After validation, feedback, and fixes, Microsoft start the gradual rollout process in a throttled way and to Preview channel subscribers first.
- Microsoft then proceed to release the update to the rest of the global population, scaling out from 10-100% (Staged -> Broad)
- Lastly the Critical: Time delay will be updated
Microsoft are continuously monitoring impact and escalate any issues to create a fix as needed.
Update channels for Monthly Updates
You can assign a machine to an update channel to define the phase (or “ring”) in which a machine receives monthly engine and platform updates.
| Channel name | Description | Application |
| Beta Channel – Prerelease | Test updates before others | Devices set to this channel will be the first to receive new monthly updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. For use in test environments only. |
| Current Channel (Preview) | Get Current Channel updates earlier during gradual release | Devices set to this channel will be offered updates earliest during the gradual release cycle. Suggested for pre-production/validation environments. Recommendation When planning for your own gradual release, please make sure to always have a few devices subscribed to the preview and staged channels. Then you can test on a few machines – and give feedback back in case of issues. |
| Current Channel (Staged) | Get Current Channel updates later during gradual release | Devices will be offered updates later during the gradual release cycle. Suggested to apply to a small, representative part of your device population (~10%). |
| Current Channel (Broad) | Get updates at the end of gradual release | Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%). |
| Critical: Time Delay | Delay Defender updates | Devices will be offered updates with a 48-hour delay. Best for datacenter machines that only receive limited updates. Suggested for critical environments only. |
| (default) | If you disable or do not configure this policy, the device will remain in Current Channel (Default): Stay up to date automatically during the gradual release cycle. Suitable for most devices. |
Update channels for Daily Updates
Daily updates are being released multiple times a day. This is also why some of your machines can be on different levels/version.
If you want to see the latest available version, it can be done through REST api.
Invoke-RestMethod -Uri "https://www.microsoft.com/security/encyclopedia/adlpackages.aspx?action=info" | Select -ExpandProperty versionsNote that unlike the monthly process, there is no Beta channel in the daily signature update process.
| Channel name | Description | Application |
| Current Channel (Staged) | Get Current Channel updates later during gradual release | Devices will be offered updates later during the gradual release cycle. Suggested to apply to a small, representative part of your device population (~10%). |
| Current Channel (Broad) | Get updates at the end of gradual release | Devices will be offered updates after the gradual release cycle. Best for datacenter machines that only receive limited updates. Note: this setting applies to all Defender updates. |
| (default) | If you disable or do not configure this policy, the device will remain in Current Channel (Default): Stay up to date automatically during the gradual release cycle. Suitable for most devices |
In case you wish to force an update to the newest signature instead of leveraging the time delay, you will need to remove this policy first – or force an update using powershell (Update-MpSignature), Microsoft Defender for Endpoint or Endpoint Manager.
Update Recommendations
For environments where there is a need for a more controlled gradual rollout of automatic Defender updates, consider an approach making target groups with machines covering the below groups:
- Participate in the Windows Insider program, if you want to be on the edge of testing
- Get a few machines in the Beta Channel. I would go with 5 computers in IT.
- Designate a pilot group that get in the Preview Channel, typically from different departments using different apps. I would go with 25 computers.
- Designate a group of machines that receive updates later during the gradual rollout from Staged channel. Typically, this would be a representative ~10% of the machines.
- Most of the remaining machines go into the Broad >70-80%
- For the remaining computers in the critical ring, they will be updated lastly. This can for example be critical production computers
How to implement Defender Antivirus gradual release rollout?
To create your own custom gradual rollout process for updates, I have chosen to cover the following tools in my blog:
- Group policy
- Microsoft Endpoint Manager
- PowerShell
For machines receiving updates through, for example, Windows Server Update Services (WSUS) or Microsoft Endpoint Configuration Manager (MECM), more options are available to all Windows updates, including options for Microsoft Defender for Endpoint.
Read more about how to use a solution like WSUS, MECM to manage the distribution and application of updates at Manage Microsoft Defender Antivirus updates and apply baselines – Windows security.
Group Policy
You can use Group Policy to configure and manage Microsoft Defender Antivirus on your endpoints.
Download the most current ADMX/ADML files and put them into your Sysvol\PolicyDefinitions. The latest file can be found here (forked from Microsoft)
In general, you can use the following procedure to configure or change Microsoft Defender Antivirus group policy settings:
- On your Group Policy management machine, open the Group Policy Management Console, right-click the Group Policy Object (GPO) you want to configure and click Edit.
- Using the Group Policy Management Editor go to Computer configuration.
- Click Administrative templates.
- Expand the tree to Windows components > Microsoft Defender Antivirus.
- Expand the section (referred to as Location in the table below in this topic) that contains the setting you want to configure, double-click the setting to open it, and make configuration changes.
| Setting title | Description | GPO Location |
| Select gradual Microsoft Defender monthly platform update rollout channel | Enable this policy to specify when devices receive Microsoft Defender platform updates during the monthly gradual rollout. Beta Channel: Devices set to this channel will be the first to receive new updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. For use in (manual) test environments only and a limited number of devices. Current Channel (Preview): Devices set to this channel will be offered updates earliest during the monthly gradual release cycle. Suggested for pre-production/validation environments. Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population (~10%). Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%). Critical- Time Delay: Devices will be offered updates with a 48-hour delay. Suggested for critical environments only. If you disable or do not configure this policy, the device will stay up to date automatically during the gradual release cycle. Suitable for most devices. | Windows Components\Microsoft Defender Antivirus |
| Select gradual Microsoft Defender monthly engine update rollout channel | Enable this policy to specify when devices receive Microsoft Defender engine updates during the monthly gradual rollout. Beta Channel: Devices set to this channel will be the first to receive new updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. For use in (manual) test environments only and a limited number of devices. Current Channel (Preview): Devices set to this channel will be offered updates earliest during the monthly gradual release cycle. Suggested for pre-production/validation environments. Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population (~10%). Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%). Critical- Time Delay: Devices will be offered updates with a 48-hour delay. Suggested for critical environments only. If you disable or do not configure this policy, the device will stay up to date automatically during the gradual release cycle. Suitable for most devices. | Windows Components\Microsoft Defender Antivirus |
| Select gradual Microsoft Defender daily security intelligence updates rollout channel | Enable this policy to specify when devices receive Microsoft Defender security intelligence updates during the daily gradual rollout. Current Channel (Staged): Devices will be offered updates after the release cycle. Suggested to apply to a small, representative part of production population (~10%). Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%). If you disable or do not configure this policy, the device will stay up to date automatically during the daily release cycle. Suitable for most devices. | Windows Components\Microsoft Defender Antivirus |
| Disable gradual rollout of Microsoft Defender updates | Enable this policy to disable gradual rollout of Defender updates. Current Channel (Broad): Devices set to this channel will be offered updates last during the gradual release cycle. Best for datacenter machines that only receive limited updates. Note: This setting applies to both monthly as well as daily Defender updates and will override any previously configured channel selections for platform and engine updates. If you disable or do not configure this policy, the device will remain in Current Channel (Default) unless specified otherwise in specific channels for platform and engine updates. Stay up to date automatically during the gradual release cycle. Suitable for most devices. | Windows Components\Microsoft Defender Antivirus\MpEngine |
Microsoft Endpoint Manager
You can choose between 2 methods : Device Update Control, ADMX-file or OMI-URI-method.
Previous mentioned method with ADMX isn’t working anymore. Thank you Radu Bagdan for pointing that out. I recommend using method #1 which is pretty new. Thx Microsoft.
Method 1 (Device Update Control)
Method 2 (OMI-URI)
Follow the instructions in below link to create a custom policy in Intune:
Add custom settings for Windows 10 devices in Microsoft Intune – Azure |Microsoft Docs
Create the respective entries for each OMI-URI shown below
| ./Vendor/MSFT/Defender/Configuration/SecurityIntelligenceUpdatesChannel | Integer | 3 (Preview) 4 (Staged) 5 (Broad / Disabled) 6 (Critical: Time Delay) |
| ./Vendor/MSFT/Defender/Configuration/PlatformUpdatesChannel | Integer | 2 (Beta) 3 (Preview) 4 (Staged) 5 (Broad / Disabled) 6 (Critical: Time Delay) |
For more information on the Defender CSP used for the gradual rollout process, see Defender CSP.
PowerShell
Use the Set-MpPreference cmdlet to configure roll out of the gradual updates.
Use the following parameters:
Set-MpPreference
-PlatformUpdatesChannel Beta|Preview|Staged|Broad|Delayed|NotConfigured
-EngineUpdatesChannel Beta|Preview|Staged|Broad|Delayed|NotConfigured
-DisableGradualRelease 1|0
-SignaturesUpdatesChannel Staged|Broad|NotConfiguredExample:
Use Set-MpPreference -PlatformUpdatesChannel Beta to configure platform updates to arrive from the Beta Channel.
Check your settings using this command
Get-MpPreference | Select *Channel*, *Gradual* | Format-List