Microsoft Defender Updates: Managing Rollouts with Precision
Regular antivirus client components updates are crucial for maintaining a strong security posture, but it's equally important to have control over which update channels are deployed to specific devices. Allowing Microsoft to automatically decide which devices become pilots can lead to potential issues, such as the installation of a beta channel with performance problems (e.g., increased processor usage).
Microsoft Defender offers multiple platform update channels. Here's an overview of the available channels:
Beta Channel: Devices set to this channel will be the first to receive new updates. For use in (manual) test environments only and a limited number of devices.
Current Channel (Preview): Devices set to this channel will be offered updates earliest during the monthly gradual release cycle. Suggested for pre-production/validation environments.
Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population (~10%).
Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%).
Critical - Time delay: Devices will be offered updates with a 48-hour delay. Suggested for critical environments only.
I recommend using the Current Channel (Staged) for pilot and Current Channel (Broad) for production devices.
Here's an example of how to configure update channel via Microsoft Intune:
Create a custom setting for Windows devices:
Name the policy and enter description:
Add a new OMA-URI Setting, enter name, OMA-URI: ./Device/Vendor/MSFT/Defender/Configuration/PlatformUpdatesChannel and Integer value for update channel:
Beta Channel = 2
Current Channel (Preview) = 3
Current Channel (Staged) = 4
Current Channel (Broad) = 5
Critical - Time delay = 6
Assign the policy to a group of devices.
UPDATE: You can now configure update channels with Microsoft Defender Antivirus policy via Microsoft Intune
Use PowerShell cmdlet "Get-MpPreference | select PlatformUpdatesChannel" to check Platform Update Channel value on a device:
By taking control of Microsoft Defender updates through a well-structured rollout process using Microsoft Intune, organizations can mitigate risks, ensure stability, and maintain a secure environment. Hopefully this article has demonstrated the importance of controlled rollouts and provided a step-by-step guide for implementing a successful update management policy. With the right approach, organizations can stay ahead of potential issues while keeping their devices protected and optimized.
Microsoft Learn: Manage the gradual rollout process for Microsoft Defender updates