How to implement a gradual (ring) rollout-process for Microsoft Defender updates

It is important to ensure that your security posture systems are up-to-date to be able to prevent attacks.

Microsoft Defender Antivirus and Defender for Endpoint includes several components which must be kept updated to protect us:

  • Endpoint Detection & Response
  • Next-generation protection with cloud-delivered protection
  • Attack Surface Reduction

The updates come out in 2 release cycles: monthly engine/platform updates and daily security intelligence updates.

Update typeDescriptionRelease cycleDeployment
Security intelligence updatesContains new and updated malware detections.Multiple times a dayDeployed using KB2267602 through the Microsoft update channels.
Engine updatesContains update to the core detection engineMonthlyDeployed as part of the security intelligence updates
Platform updatesUpdates to the product itself. It can contain new features as well as fixes for existing ones.MonthlyDeployed using KB4052623 through the Microsoft update channels.

I will cover both how the process is and how to manage it with a gradual release process in this blog. We do this process to reduce risks while still getting computers updated as fast as possible.

Big thanks to Paul Huijbregts, Microsoft for helping with the insight and managing the ADMX files mentioned later in the blog. He is also author of several articles covering this, where I try to bring things together from various articles into this blog.

Big credits also to Cloudbrothers covering this topic earlier. I have used a few info from their great article. More info here


Understanding the Monthly engine/platform updates

In most cases, the recommended configuration when using Windows Update is to allow endpoints to receive and apply monthly Defender updates as they arrive. This provides the best balance between protection and possible impact associated with the changes they can introduce. But sometimes updates slips through causing issues (luckily this is very rare).

If you want to minimize the impact of issues, you can consider using a gradual (ring) rollout strategy provided by Microsoft. This process helps to enable early failure detection to catch impact as it occurs and address it quickly before a larger rollout; in short ‘minimizing risc of causing incompatibility.

You can think of the rollout as rings, where Microsoft will deploy to ring 0, ring 1, ring 2, etc.

The phases (or “rings”) are shown below:

  1. The first release goes out to Beta channel subscribers.
  2. After validation, feedback, and fixes, Microsoft start the gradual rollout process in a throttled way and to Preview channel subscribers first.
  3. Microsoft then proceed to release the update to the rest of the global population, scaling out from 10-100% (Staged -> Broad)
  4. Lastly the Critical: Time delay will be updated

Microsoft are continuously monitoring impact and escalate any issues to create a fix as needed.

Update channels for Monthly Updates

You can assign a machine to an update channel to define the phase (or “ring”) in which a machine receives monthly engine and platform updates.

Channel nameDescriptionApplication
Beta Channel – PrereleaseTest updates before othersDevices set to this channel will be the first to receive new monthly updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. For use in test environments only.
Current Channel (Preview)Get Current Channel updates earlier during gradual releaseDevices set to this channel will be offered updates earliest during the gradual release cycle. Suggested for pre-production/validation environments.

Recommendation
When planning for your own gradual release, please make sure to always have a few devices subscribed to the preview and staged channels. Then you can test on a few machines – and give feedback back in case of issues.
Current Channel (Staged)Get Current Channel updates later during gradual releaseDevices will be offered updates later during the gradual release cycle. Suggested to apply to a small, representative part of your device population (~10%).
Current Channel (Broad)Get updates at the end of gradual releaseDevices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%).
Critical: Time DelayDelay Defender updatesDevices will be offered updates with a 48-hour delay. Best for datacenter machines that only receive limited updates. Suggested for critical environments only.
(default)
If you disable or do not configure this policy, the device will remain in Current Channel (Default): Stay up to date automatically during the gradual release cycle. Suitable for most devices.

Update channels for Daily Updates

Daily updates are being released multiple times a day. This is also why some of your machines can be on different levels/version.

If you want to see the latest available version, it can be done through REST api.

Invoke-RestMethod -Uri "https://www.microsoft.com/security/encyclopedia/adlpackages.aspx?action=info" | Select -ExpandProperty versions

Note that unlike the monthly process, there is no Beta channel in the daily signature update process.

Channel nameDescription
Application
Current Channel (Staged)Get Current Channel updates later during gradual releaseDevices will be offered updates later during the gradual release cycle. Suggested to apply to a small, representative part of your device population (~10%).
Current Channel (Broad)Get updates at the end of gradual releaseDevices will be offered updates after the gradual release cycle. Best for datacenter machines that only receive limited updates.

Note: this setting applies to all Defender updates.
(default)
If you disable or do not configure this policy, the device will remain in Current Channel (Default): Stay up to date automatically during the gradual release cycle. Suitable for most devices

In case you wish to force an update to the newest signature instead of leveraging the time delay, you will need to remove this policy first – or force an update using powershell (Update-MpSignature), Microsoft Defender for Endpoint or Endpoint Manager.

Update Recommendations

For environments where there is a need for a more controlled gradual rollout of automatic Defender updates, consider an approach making target groups with machines covering the below groups:

  1. Participate in the Windows Insider program, if you want to be on the edge of testing
  2. Get a few machines in the Beta Channel. I would go with 5 computers in IT.
  3. Designate a pilot group that get in the Preview Channel, typically from different departments using different apps. I would go with 25 computers.
  4. Designate a group of machines that receive updates later during the gradual rollout from Staged channel. Typically, this would be a representative ~10% of the machines.
  5. Most of the remaining machines go into the Broad >70-80%
  6. For the remaining computers in the critical ring, they will be updated lastly. This can for example be critical production computers

How to implement Defender Antivirus gradual release rollout?

To create your own custom gradual rollout process for updates, I have chosen to cover the following tools in my blog:

  • Group policy
  • Microsoft Endpoint Manager
  • PowerShell

For machines receiving updates through, for example, Windows Server Update Services (WSUS) or Microsoft Endpoint Configuration Manager (MECM), more options are available to all Windows updates, including options for Microsoft Defender for Endpoint.

Read more about how to use a solution like WSUS, MECM to manage the distribution and application of updates at Manage Microsoft Defender Antivirus updates and apply baselines – Windows security.

Group Policy

You can use Group Policy to configure and manage Microsoft Defender Antivirus on your endpoints.

Download the most current ADMX/ADML files and put them into your Sysvol\PolicyDefinitions. The latest file can be found here (forked from Microsoft)

In general, you can use the following procedure to configure or change Microsoft Defender Antivirus group policy settings:

  1. On your Group Policy management machine, open the Group Policy Management Console, right-click the Group Policy Object (GPO) you want to configure and click Edit.
  2. Using the Group Policy Management Editor go to Computer configuration.
  3. Click Administrative templates.
  4. Expand the tree to Windows components > Microsoft Defender Antivirus.
  5. Expand the section (referred to as Location in the table below in this topic) that contains the setting you want to configure, double-click the setting to open it, and make configuration changes.

Setting titleDescriptionGPO Location
Select gradual Microsoft Defender monthly platform update rollout channelEnable this policy to specify when devices receive Microsoft Defender platform updates during the monthly gradual rollout.

Beta Channel: Devices set to this channel will be the first to receive new updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. For use in (manual) test environments only and a limited number of devices.

Current Channel (Preview): Devices set to this channel will be offered updates earliest during the monthly gradual release cycle. Suggested for pre-production/validation environments.

Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population (~10%).

Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%).

Critical- Time Delay: Devices will be offered updates with a 48-hour delay. Suggested for critical environments only.

If you disable or do not configure this policy, the device will stay up to date automatically during the gradual release cycle. Suitable for most devices.
Windows Components\Microsoft Defender Antivirus
Select gradual Microsoft Defender monthly engine update rollout channelEnable this policy to specify when devices receive Microsoft Defender engine updates during the monthly gradual rollout.

Beta Channel: Devices set to this channel will be the first to receive new updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. For use in (manual) test environments only and a limited number of devices.

Current Channel (Preview): Devices set to this channel will be offered updates earliest during the monthly gradual release cycle. Suggested for pre-production/validation environments.

Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population (~10%).

Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%).

Critical- Time Delay: Devices will be offered updates with a 48-hour delay. Suggested for critical environments only.

If you disable or do not configure this policy, the device will stay up to date automatically during the gradual release cycle. Suitable for most devices.
Windows Components\Microsoft Defender Antivirus
Select gradual Microsoft Defender daily security intelligence updates rollout channelEnable this policy to specify when devices receive Microsoft Defender security intelligence updates during the daily gradual rollout.

Current Channel (Staged): Devices will be offered updates after the release cycle. Suggested to apply to a small, representative part of production population (~10%).

Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%).

If you disable or do not configure this policy, the device will stay up to date automatically during the daily release cycle. Suitable for most devices.
Windows Components\Microsoft Defender Antivirus
Disable gradual rollout of Microsoft Defender updatesEnable this policy to disable gradual rollout of Defender updates.

Current Channel (Broad): Devices set to this channel will be offered updates last during the gradual release cycle. Best for datacenter machines that only receive limited updates.

Note: This setting applies to both monthly as well as daily Defender updates and will override any previously configured channel selections for platform and engine updates.

If you disable or do not configure this policy, the device will remain in Current Channel (Default) unless specified otherwise in specific channels for platform and engine updates. Stay up to date automatically during the gradual release cycle. Suitable for most devices.
Windows Components\Microsoft Defender Antivirus\MpEngine

Microsoft Endpoint Manager

You can choose between 2 methods : ADMX-file or OMI-URI-method.

Method #1 (ADMX)

In Microsoft Endpoint Manager, you can import the ADMX-file. The latest file can be found here (forked from Microsoft)

If you are seeing the below error, this is caused by a dependency error.

Download the latest ADMX-file for Windows. Here is a link for Administrative Templates (.admx) for Windows 10 2022 Update (22H2)

Import the Windows.admx file first, then you can import the WindowsDefender.admx

Now you can create a new policy with profile type Templates – choose ‘Imported Administrative templates’

Method 2 (OMI-URI)

Follow the instructions in below link to create a custom policy in Intune:

Add custom settings for Windows 10 devices in Microsoft Intune – Azure |Microsoft Docs

Create the respective entries for each OMI-URI shown below

./Vendor/MSFT/Defender/Configuration/SecurityIntelligenceUpdatesChannelInteger3 (Preview)
4 (Staged)
5 (Broad / Disabled)
6 (Critical: Time Delay)
./Vendor/MSFT/Defender/Configuration/PlatformUpdatesChannelInteger2 (Beta)
3 (Preview)
4 (Staged)
5 (Broad / Disabled)
6 (Critical: Time Delay)

For more information on the Defender CSP used for the gradual rollout process, see Defender CSP.

PowerShell

Use the Set-MpPreference cmdlet to configure roll out of the gradual updates.

Use the following parameters:

Set-MpPreference
-PlatformUpdatesChannel Beta|Preview|Staged|Broad|Delayed|NotConfigured
-EngineUpdatesChannel Beta|Preview|Staged|Broad|Delayed|NotConfigured
-DisableGradualRelease 1|0
-SignaturesUpdatesChannel Staged|Broad|NotConfigured

Example:

Use Set-MpPreference -PlatformUpdatesChannel Beta to configure platform updates to arrive from the Beta Channel.

Check your settings using this command

Get-MpPreference | Select *Channel*, *Gradual* | Format-List

Leave a Comment