deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-14 06:17:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

management

Browse Source
This commit is contained in:
Iaan D'Souza-Wiltshire 2017-03-16 20:49:57 -07:00
parent c5875f8b7d
commit d2de9eb8e2
12 changed files with 344 additions and 283 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
windows/keep-secure/WDAV-working/deploy-manage-report-windows-defender-antivirus.md
View File

@ -85,7 +85,7 @@ Microsoft Azure|Deploy Microsoft Antimalware for Azure in the [Azure portal, by
Topic | Description
---|---
[Deploy and enable Windows Defender Antivirus protection](deploy-windows-defender-antivirus.md) | While the client is installed as a core part of Windows 10, and traditional deployment does not apply, you will still need to enable the client on your endpoints with System Center Configuration Manager, Microsoft Intune, or Group Policy Objects.
[Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md) | There are two parts to updating Windows Defender Antivirus: updating the client on endpoints (product updates), and updating definitions (protection updates). You can update definitions in a number of ways, using System Center Configuration Manager, Microsoft Intune, WSUS, and others.
[Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md) | There are two parts to updating Windows Defender Antivirus: updating the client on endpoints (product updates), and updating definitions (protection updates). You can update definitions in a number of ways, using System Center Configuration Manager, Group Policy, PowerShell, and WMI.
[Monitor and report on Windows Defender Antivirus protection](report-monitor-windows-defender-antiviirus.md) | You can use System Center Configuration Manager, a third-party SIEM product (by consuming Windows event logs), or Microsoft Intune to monitor protection status and create reports about endpoint protection
## Related topics

84
windows/keep-secure/WDAV-working/deployment-vdi-windows-defender-antivirus.md
View File

@ -1,5 +1,5 @@
---
title: Deployment guide for Windows Defender Antivirus in VDI
title: Windows Defender Antivirus VDI deployment guide
description: Learn how to deploy Windows Defender Antivirus in a VDI environment for the best balance between protection and performance.
keywords: vdi, hyper-v, vm, virtual machine, windows defender, antivirus, av, virtual desktop, rds, remote desktop
search.product: eADQiWindows 10XVcnh
@ -63,33 +63,26 @@ The main steps in this section include:
1. Create your standard base image according to your requirements
2. Apply Windows Defender AV protection updates to your base image
3. Seal or “lock” the image to create a “known-good” image
4. Deploying your image to your VMs
4. Deploy your image to your VMs
### Create the base image
First, you should create your base image according to your business needs, applying or installing the relevant line of business (LOB) apps and settings as you normally would. Typically, this would involve creating a VHD or customized .iso, depending on how you will deploy the image to your VMs.
### Apply protection updates to the base image
After creating the image, you should ensure it is fully updated. See [Configure Windows Defender in Windows 10]( https://technet.microsoft.com/en-us/itpro/windows/keep-secure/configure-windows-defender-in-windows-10) for instructions on how to update Windows Defender AV protection via WSUS, Microsoft Update, the MMPC site, or UNC file shares. You should ensure that your initial base image is also fully patched with Microsoft and Windows updates and patches.
### Seal the base image
When the base image is fully updated, you should run a quick scan on the image. This “sealing” or “locking” of the image helps Windows Defender AV build a cache of known-good files and avoid scanning them again on your VMs. In turn, this can help ensure performance on the VM is not impacted.
**Run a quick scan from the command line:**
You can run a quick scan [from the command line](run-scan-command-line-windows-defender-antivirus.md) or via [System Center Configuration Manager](run-scan-windows-defender-antivirus.md).
1. Click **Start**, type **cmd**, and press **Enter**.
2. Navigate to _%ProgramFiles%\Windows Defender_ and enter the following command, and press **Enter**:
```
C:\Program Files\Windows Defender\mpcmdrun.exe -scan -scantype 1
```
The quick scan will start. When the scan completes, you'll see a message indicating that the scan is finished.
See [Run a Windows Defender scan from the command line](run-scan-command-line-windows-defender-antivirus.md) for additional parameters you can use.
>[!NOTE] ### Quick scan versus full scan
>[!NOTE] <b>Quick scan versus full scan</b>
>Quick scan looks at all the locations where there could be malware registered to start with the system, such as registry keys and known Windows startup folders. Combined with our always on real-time protection capability - which reviews files when they are opened and closed, and whenever a user navigates to a folder quick scan helps provide strong coverage both for malware that starts with the system and kernel-level malware.
>Therefore, when considering performance especially for creating a new or updated image in preparation for deployment it makes sense to use a quick scan only.
>A full scan, however, can be useful on a VM that has encountered a malware threat to identify if there are any inactive components lying around and help perform a thorough clean-up.
### Deploy the base image
Youll then need to deploy the base image across your VDI. For example, you can create or clone a VHD from your base image, and then use that VHD when you create or start your VMs.
The following references provide ways you can create and deploy the base image across your VDI:
@ -104,45 +97,49 @@ The following references provide ways you can create and deploy the base image a
## Manage VMs and base image
Using Windows Defender AV within a VDI environment poses unique opportunities for configuration and management.
This is especially apparent when considering how updates are delivered for Windows Defender AV.
## Manage your VMs and base image
How you manage your VDI will affect the performance impact of Windows Defender AV on your VMs and infrastructure.
Windows Defender AV uses both cloud-delivered protection (also called the Microsoft Advanced Protection Service) and periodically downloaded updates (also known as “definitions”) to provide protection. The cloud-based protection is “always-on” and requires an active connection to the Internet to function, while the protection updates generally occur once a day (although this can be configured). Additionally, there are monthly updates for the engine that powers Microsoft antivirus protection, along with the usual product updates that are distributed alongside main Windows updates.
Because Windows Defender AV downloads protection updates every day, [or based on your protection update settings](manage-protection-updates-windows-defender-antivirus.md), network bandwidth can be a problem if multiple VMs attempt to download updates at the same time.
Depending on the deployment configuration of your VDI, it may not always be feasible or appropriate to follow a traditional continuous update schedule in a VDI environment.
Instead, you may prefer to receive and apply updates on a daily (or nightly) schedule, or align to a single update point, such as just after the usual monthly Microsoft Update.
Following the guidelines in this means the VMs will only need to download “delta” updates, which are the differences between an existing definition set and the next one. Delta updates are typically much smaller (a few kilobytes) than a full definition download (which can average around 150 mb).
You can reduce network overhead by using a persistent VDI environment, so that your VMs will only need to download small delta updates.
### Manage updates for persistent VDIs
Therefore, the first step youll need to take is to determine when to create the base image that youll use on your VMs. This should align with the persistence of your VMs.
If you are using a persistent VDI, you should update the base image monthly, and set up protection updates to be delivered daily via a file share, as follows:
1. Create a dedicated file share location on your network that can be accessed by your VMs and your VM host (or other, persistent machine, such as a dedicated admin console that you use to manage your VMs).
2. Set up a scheduled task on your VM host to automatically download updates from the MMPC website or Microsoft Update and save them to the file share (the [SignatureDownloadCustomTask PowerShell script](https://www.powershellgallery.com/packages/SignatureDownloadCustomTask/1.4/DisplayScript) can help with this).
3. [Configure the VMs to pull protection updates from the file share](manage-protection-updates-windows-defender-antivirus.md).
4. Disable or delay automatic Microsoft updates on your VMs. See [Update Windows 10 in the enterprise](https://technet.microsoft.com/en-us/itpro/windows/manage/waas-update-windows-10) for information on managing operating system updates with WSUS, SCCM, and others.
5. On or just after each Patch Tuesday (the second Tuesday of each month), update your base image with [the latest protection updates from the MMPC website, WSUS, or Microsoft Update](manage-protection-updates-windows-defender-antivirus.md). Also apply all other Windows patches and fixes that were delivered on the Patch Tuesday. You can automate this by following the instructions in [Orchestrated offline VM Patching using Service Management Automation](https://blogs.technet.microsoft.com/privatecloud/2013/12/06/orchestrated-offline-vm-patching-using-service-management-automation/).
5. [Run a quick scan](run-scan-windows-defender-antivirus.md) on your base image before deploying it to your VMs.
For example, if you are using a non-persistent VDI, it may make sense to update and deploy your base image daily. This way, youll ensure your VMs receive the most up-to-date protection each day, without having to individually download updates when they are each started.
You could also use a pre-configured PowerShell script as part of a scheduled task to help automate the download and application of protection updates from a centralized location, to prevent each VM from individually downloading the update.
For example, the [SignatureDownloadCustomTask PowerShell script](https://www.powershellgallery.com/packages/SignatureDownloadCustomTask/1.4/DisplayScript) will pull the latest updates via a UNC share that is updated by the VM host. That way the individual VM will not need to obtain protection updates from the Internet, and you will only need to download the updates once (on the VM host).
Alternatively, if you have a persistent or semi-persistent VDI, you could update your base image monthly, in conjunction with the monthly “Patch Tuesday” Microsoft Updates to reduce the network bandwidth across your VDI.
In both of these scenarios, the VMs will only need to download “delta” updates the differences between an existing definition set and the next one. Delta updates are typically much smaller (a few kilobytes) than a full definition download (which can average around 150 mb).
A benefit to aligning your image update to the monthly Microsoft Update is that you ensure your VMs will have the latest Windows security patches and other important Microsoft updates without each VM needing to individually download them.
Another benefit to aligning your image update to the monthly Microsoft Update is that you ensure your VMs will have the latest Windows security patches and other important Microsoft updates without each VM needing to individually download them.
If you are aligning your base image to the monthly Microsoft Update schedule, you should ensure that all operating system and other patches and updates have been applied. The monthly Microsoft Update occurs on the second Tuesday of each month.
This means you may need to disconnect your VMs, apply the updated base image, and then deploy the image during that time otherwise the individual VMs may download the update and you will lose the benefit of reducing your network overhead.
### Manage updates for non-persistent VDIs
On non-persistent or pooled VDIs, you can update the base image nightly with the latest definitions. This allows the VMs to have the latest definitions without need to pull down the latest definitions each morning. In this case, it may make sense to obtain updates via the MMPC website or Microsoft Update channel.
If you are using a non-persistent VDI, you can update the base image daily (or nightly) and directly apply the latest updates to the image.
You may be able to automate this by following the instructions in [Orchestrated offline VM Patching using Service Management Automation](https://blogs.technet.microsoft.com/privatecloud/2013/12/06/orchestrated-offline-vm-patching-using-service-management-automation/)
An example:
1. Every night or other time when you can safely take your VMs offline, update your base image with t[the latest protection updates from the MMPC website, WSUS, or Microsoft Update](manage-protection-updates-windows-defender-antivirus.md).
2. [Run a quick scan](run-scan-windows-defender-antivirus.md) on your base image before deploying it to your VMs.
In both scenarios, its important to run a quick scan on the updated image before you deploy it to your VMs.
## Configure endpoints for optimal performance
There are a number of settings that can help ensure optimal performance on your VMs and VDI without affecting the level of protection.
There are a number of settings that can help ensure optimal performance on your VMs and VDI without affecting the level of protection, including:
- [Randomize scheduled scans](#randomize-scheduled-scans)
- [Use quick scans](#use-quick-scans)
- [Prevent notifications](#prevent-notifications)
- [Disable scans from occuring after every update](#disable-scans-after-an-update)
- [Scan out-of-date machines or machines that have been offline for a while](#scan-vms-that-have-been-offline)
These settings can be configured as part of creating your base image, or as a day-to-day management function of your VDI infrastructure or network.
One of the most important settings is to randomize the times when each VM will perform a scan.
### Randomize scheduled scans
@ -165,11 +162,11 @@ The start time of the scan itself is still based on the scheduled scan policy
5. Expand the tree to **Windows components > Windows Defender** and configure the following setting:
1. Double-click the **Randomize scheduled task times** setting and set the option to **Enabled**. Click **OK**. This adds a true randomization (it is still random if the disk image is replicated) of +/- 30 minutes to the start of the scheduled scan and also the signature update.
1. Double-click the **Randomize scheduled task times** setting and set the option to **Enabled**. Click **OK**. This adds a true randomization (it is still random if the disk image is replicated) of plus or minus 30 minutes (using all of the intervals) to the start of the scheduled scan and the signature update. For example, if the sechedule start time was set at 2.30pm, then enabling this setting could cause one machine to scan and update at 2.33pm and another machine to scan and update at 2.14pm.
**Use Configuration Manager to randomize schedule scans:**
1. See [How to create and deploy antimalware policies: Advanced settings]( https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#advanced-settings) for details on configuring System Center Configuration Manager (current branch).
See [How to create and deploy antimalware policies: Advanced settings]( https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#advanced-settings) for details on configuring System Center Configuration Manager (current branch).
See [Schedule scans](schedule-scans-windows-defender-antivirus.md) for other configuration options available for scheduled scans.
@ -182,17 +179,16 @@ Quick scans are the preferred approach as they are designed to look in all place
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
3. In the **Group Policy Management Editor** go to **Computer configuration**.
2. In the **Group Policy Management Editor** go to **Computer configuration**.
4. Click **Policies** then **Administrative templates**.
3. Click **Policies** then **Administrative templates**.
5. Expand the tree to **Windows components > Windows Defender > Scan** and configure the following setting:
1. Double-click the **Specify the scan type to use for a scheduled scan** setting and set the option to **Enabled** and **Quick scan**. Click **OK**.
4. Expand the tree to **Windows components > Windows Defender > Scan** and configure the following setting:
1. Double-click the **Specify the scan type to use for a scheduled scan** setting and set the option to **Enabled** and **Quick scan**. Click **OK**.
**Use Configuration Manager to specify the type of scheduled scan:**
1. See [How to create and deploy antimalware policies: Scheduled scans settings]( https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#scheduled-scans-settings) for details on configuring System Center Configuration Manager (current branch).
See [How to create and deploy antimalware policies: Scheduled scans settings]( https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#scheduled-scans-settings) for details on configuring System Center Configuration Manager (current branch).
<!--
See [Schedule scans](schedule-scans-windows-defender-antivirus.md) for other configuration options available for scheduled scans.

4
windows/keep-secure/WDAV-working/enable-cloud-protection-windows-defender-antivirus.md
View File

@ -51,9 +51,7 @@ There are specific network-connectivity requirements to ensure your endpoints ca
5. Expand the tree to **Windows components > Windows Defender Antivirus > MAPS**
1. Double-click the **Join Microsoft MAPS** setting and ensure the option is enabled and set to **Basic MAPS** or **Advanced MAPS**.
1. Click **OK**.
1. Double-click the **Join Microsoft MAPS** setting and ensure the option is enabled and set to **Basic MAPS** or **Advanced MAPS**. Click **OK**.
1. Double-click the **Send file samples when further analysis is required** setting and ensure the option is set to **Enabled** and the additional options are either of the following:

BIN
windows/keep-secure/WDAV-working/images/defender/order-update-sources-wdav.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 1.3 MiB

BIN
windows/keep-secure/WDAV-working/images/defender/wdav-order-update-sources.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 1.3 MiB

156
windows/keep-secure/WDAV-working/manage-endpoint-product-updates-windows-defender-antivirus.md
View File

@ -1,156 +0,0 @@
---
title:
description:
ms.assetid: 22649663-AC7A-40D8-B1F7-5CAD9E49653D
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
localizationpriority: medium
author: iaanw
---
# Manage Windows Defender Antivirus protection and definition updates
**Applies to**
- Windows 10
**Audience**
- Network administrators
**Manageability available with**
- Group Policy
- System Center Configuration Manager
- Microsoft Intune
- PowerShell cmdlets
- Windows Management Instruction (WMI)
<span id="protection-updates"/>
<!-- this has been used as anchor in VDI content -->
Windows Defender Antivirus requires regular protection updates to help ensure your network and endpoints are fully protected. These protection updates are also known as "definitions" or "signature updates".
There are a number of ways you can obtain and manage protection updates.
## Obtain protection updates
There are four locations where you can specify where an endpoint should obtain updates. Typically, you would configure each endpoint to individually download the updates from a primary source and specify fallback sources in case the primary source is unavailble.
- [Windows Server Update Service (WSUS)](https://technet.microsoft.com/windowsserver/bb332157.aspx).
- Microsoft Update.
- The [Microsoft Malware Protection Center definitions page (MMPC)](http://www.microsoft.com/security/portal/definitions/adl.aspx).
- A network file share.
Each location has typical scenarios (in addition to acting as fallback locations) for when you would use that source, as described in the following table:
Location | Sample scenario
---|---
WSUS | https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-definitions-wsus#to-synchronize-endpoint-protection-definition-updates-in-standalone-wsus
Microsoft Update | Internet...
MMPC | You need to download the latest protection updates because of a recent infection or to help provision a strong, base image for [VDI deployment](deployment-vdi-windows-defender-antivirus.md).
File share | You have non-Internet-connected devices (such as VMs). You can use your Internet-connected VM host download the updates to a network share, from which the VMs can obtain the updates.
You can manage how you obtain the protection updates with System Center Configuration Manager, Microsoft Intune, Group Policy, or PowerShell cmdlets and WMI.
> [!IMPORTANT]
> If you set WSUS as a download location, you must approve the updates - regardless of what management tool you use to specify the location. You can set up an automatic approval rule with WSUS, which may be useful as updates arrive at least once a day. See [To synchronize endpoint protection updates in standalone WSUS](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-definitions-wsus#to-synchronize-endpoint-protection-definition-updates-in-standalone-wsus) for more details.
**Use Group Policy to manage the update location:**
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
3. In the **Group Policy Management Editor** go to **Computer configuration**.
4. Click **Policies** then **Administrative templates**.
5. Expand the tree to **Windows components > Windows Defender > Client Interface** and configure the following settings:
1. Double-click the **Suppress all notifications** setting and set the option to **Enabled**. Click **OK**. This will disable all notifications shown by the Windows Defender client.
1. Double-click the **Suppresses reboot notifications** setting and set the option to **Enabled**. Click **Ok**. This will disable notifications that ask the endpoint user to reboot the machine to perform additional cleaning.
2.In the Local Computer Policy tree, expand Computer Configuration, then Administrative Templates, then Windows Components, then Windows Defender.
3.Click on Signature Updates.
{\\unc1\\unc2} - where you define [unc] as the UNC shares.
**Use PowerShell and WMI cmdlets to manage the update location:**
Use the following PowerShell cmdlets to enable cloud-delivered protection:
```PowerShell
Set-MpPreference -MAPSReporting Advanced
Set-MpPreference -SubmitSamplesConsent 3
```
See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-windows-defender-antivirus) and [Defender cmdlets](https://technet.microsoft.com/en-us/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus.
Use the following WMI cmdlets to enable cloud-delivered protection:
```WMI
```
**Use Configuration Manager to manage the update location:**
1. See [Configure Definition Updates for Endpoint Protection](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-definition-updates) for details on configuring System Center Configuration Manager (current branch).
**Use Microsoft Intune to manage the update location:**
### Configure protection update options
-schedule scans
-etc...
## Opt-in to Microsoft Update on mobile computers without a WSUS connection
You can use Microsoft Update to keep definitions on mobile computers running Windows Defender in Windows 10 up to date when they are not connected to the corporate network. If the mobile computer doesn't have a [Windows Server Update Service](https://technet.microsoft.com/windowsserver/bb332157.aspx) (WSUS) connection, the signatures will still come from Microsoft Update. This means that signatures can be pushed down (via Microsoft Update) even if WSUS overrides Windows Update.
You need to opt-in to Microsoft Update on the mobile computer before it can retrieve the definition updates from Microsoft Update.
There are two ways you can opt-in to Microsoft Update in Windows Defender for Windows 10:
1. Use a VBScript to create a script, then run it on each computer in your network.
2. Manually opt-in every computer on your network through the **Settings** menu.
You can create a VBScript and run it on each computer on your network; this is an efficient way to opt-in to Microsoft Update.
**Use a VBScript to opt in to Microsoft Update**
1. Use the instructions in the MSDN article [Opt-In to Microsoft Update](https://msdn.microsoft.com/library/windows/desktop/aa826676.aspx) to create the VBScript.
2. Run the VBScript you created on each computer in your network.
You can manually opt-in each individual computer on your network to receive Microsoft Update.
**Manually opt-in to Microsoft Update**
1. Open **Windows Update** in **Update & security** settings on the computer you want to opt-in.
2. Click **Advanced** options.
3. Select the checkbox for **Give me updates for other Microsoft products when I update Windows**.
## Related topics
- [Update and manage Windows Defender in Windows 10](get-started-with-windows-defender-for-windows-10.md)
- [Troubleshoot Windows Defender in Windows 10](troubleshoot-windows-defender-in-windows-10.md)

48
windows/keep-secure/WDAV-working/manage-event-based-updates-windows-defender-antivirus.md Normal file
View File

@ -0,0 +1,48 @@
---
title: Apply Windows Defender AV updates after certain events
description: Manage how Windows Defender Antivirus applies proteciton updates after startup or receiving cloud-delivered detection reports.
keywords: updates, protection, force updates, events, startup, check for latest, notifications
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
localizationpriority: medium
author: iaanw
---
# Manage event-based forced updates
**Applies to**
- Windows 10
**Audience**
- Network administrators
**Manageability available with**
- Group Policy
- System Center Configuration Manager
- PowerShell cmdlets
- Windows Management Instruction (WMI)
Windows Defender AV allows to determine if updates should (or should not) occur after certain events, such as at startup or after receiving specific reports from the cloud-delivered protection service.
- Initiate definition update on startip
- Check for the latest virus and spyware definitions on startup
- Allow notifications to disable definitions based reports to MAPS
- Allow real-time definition updates based on reports to MAPS
## Related topics
- [Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md)
- [Update and manage Windows Defender in Windows 10](get-started-with-windows-defender-for-windows-10.md)
- [Troubleshoot Windows Defender in Windows 10](troubleshoot-windows-defender-in-windows-10.md)

49
windows/keep-secure/WDAV-working/manage-outdated-endpoints-windows-defender-antivirus.md Normal file
View File

@ -0,0 +1,49 @@
---
title: Apply Windows Defender AV protection updates to out of date endpoints
description: Define when and how updates should be applied for endpoints that have not updated in a while.
keywords: updates, protection, out-of-date, outdated, old, catch-up
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
localizationpriority: medium
author: iaanw
---
# Manage updates for endpoints that are out of date
**Applies to**
- Windows 10
**Audience**
- Network administrators
**Manageability available with**
- Group Policy
- System Center Configuration Manager
- PowerShell cmdlets
- Windows Management Instruction (WMI)
Windows Defender AV lets you define how long an endpoint can avoid an update before it is required to update and scan itself. This is especially useful in environments where devices are not often connected to a corporate or external network, or devices that are not used on a daily basis.
You can manage the following options with Group Policy, System Center Configuration Manager, Powershell cmdlets, and WMI classes:
- Define the number of days before an endpoint has outdated protection
- Define the number of days after which a catch-up update must occur
## Related topics
- [Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md)
- [Update and manage Windows Defender in Windows 10](get-started-with-windows-defender-for-windows-10.md)
- [Troubleshoot Windows Defender in Windows 10](troubleshoot-windows-defender-in-windows-10.md)

48
windows/keep-secure/WDAV-working/manage-protection-update-schedule-windows-defender-antivirus.md Normal file
View File

@ -0,0 +1,48 @@
---
title: Schedule Windows Defender Antivirus protection updates
description: Schedule the day, time, and interval for when protection updates should be downloaded
keywords: updates, security baselines, schedule updates
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
localizationpriority: medium
author: iaanw
---
# Manage when protection updates should be downloaded and applied
**Applies to**
- Windows 10
**Audience**
- Network administrators
**Manageability available with**
- Group Policy
- System Center Configuration Manager
- PowerShell cmdlets
- Windows Management Instruction (WMI)
Windows Defender AV lets you determine when it should look for and download updates.
You can schedule updates for your endpoints by:
- Specifying the day of the week to check for definition updates
- Specifying the interval to check for definition updates
- Specifying the time to check for definition updates
## Related topics
- [Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md)
- [Update and manage Windows Defender in Windows 10](get-started-with-windows-defender-for-windows-10.md)
- [Troubleshoot Windows Defender in Windows 10](troubleshoot-windows-defender-in-windows-10.md)

126
windows/keep-secure/WDAV-working/manage-protection-updates-windows-defender-antivirus.md
View File

@ -1,7 +1,9 @@
---
title:
description:
ms.assetid: 22649663-AC7A-40D8-B1F7-5CAD9E49653D
title: Manage how and where Windows Defender AV receives updates
description: Manage how Windows Defender Antivirus receives protection updates.
keywords: updates, security baselines, protection, fallback order, ADL, MMPC, UNC, file path, share, wsus
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
@ -23,42 +25,46 @@ author: iaanw
- Group Policy
- System Center Configuration Manager
- Microsoft Intune
- PowerShell cmdlets
- Windows Management Instruction (WMI)
<span id="protection-updates"/>
<a id="protection-updates"></a>
<!-- this has been used as anchor in VDI content -->
Windows Defender Antivirus requires regular protection updates to help ensure your network and endpoints are fully protected. These protection updates are also known as "definitions" or "signature updates".
Windows Defender AV uses both [cloud-delivered protection](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) (also called the Microsoft Advanced Protection Service or MAPS) and periodically downloaded protection updates to provide protection. These protection updates are also known as "definitions" or "signature updates".
There are a number of ways you can obtain and manage protection updates.
The cloud-based protection is “always-on” and requires an active connection to the Internet to function, while the protection updates generally occur once a day (although this can be configured).
## Obtain protection updates
There are four locations where you can specify where an endpoint should obtain updates. Typically, you would configure each endpoint to individually download the updates from a primary source and specify fallback sources in case the primary source is unavailble.
There are two components to managing protection updates - where the updates are downloaded from, and when updates are downloaded and applied.
- [Windows Server Update Service (WSUS)](https://technet.microsoft.com/windowsserver/bb332157.aspx).
This topic describes the locations
## Manage the fallback order for downloading protection updates
There are five locations where you can specify where an endpoint should obtain updates. Typically, you would configure each endpoint to individually download the updates from a primary source and specify fallback sources in case the primary source is unavailable.
- [Windows Server Update Service (WSUS)](https://technet.microsoft.com/windowsserver/bb332157.aspx)
- Microsoft Update.
- The [Microsoft Malware Protection Center definitions page (MMPC)](http://www.microsoft.com/security/portal/definitions/adl.aspx).
- A network file share.
- The [Microsoft Malware Protection Center definitions page (MMPC)](http://www.microsoft.com/security/portal/definitions/adl.aspx)
- A network file share
- Configuration manager
Each location has typical scenarios (in addition to acting as fallback locations) for when you would use that source, as described in the following table:
Location | Sample scenario
---|---
WSUS | https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-definitions-wsus#to-synchronize-endpoint-protection-definition-updates-in-standalone-wsus
Microsoft Update | Internet...
WSUS | You are using WSUS to manage updates for your network
Microsoft Update | You want your endpoints to connect directly to Microsoft Update. This can be useful for endpoints that irregularly connect to your enterprise network.
MMPC | You need to download the latest protection updates because of a recent infection or to help provision a strong, base image for [VDI deployment](deployment-vdi-windows-defender-antivirus.md).
File share | You have non-Internet-connected devices (such as VMs). You can use your Internet-connected VM host download the updates to a network share, from which the VMs can obtain the updates.
File share | You have non-Internet-connected devices (such as VMs). You can use your Internet-connected VM host download the updates to a network share, from which the VMs can obtain the updates. See the [VDI deployment guide](deployment-vdi-windows-defender-antivirus.md) for how file shares can be used in virtual desktop infrastructure (VDI) environments.
Configuration Manager | You are using System Center Configuration Manager to update your endpoints.
You can manage how you obtain the protection updates with System Center Configuration Manager, Microsoft Intune, Group Policy, or PowerShell cmdlets and WMI.
You can manage the order in which update sources are used with Group Policy, System Center Configuration Manager, PowerShell cmdlets, and WMI.
> [!IMPORTANT]
> If you set WSUS as a download location, you must approve the updates - regardless of what management tool you use to specify the location. You can set up an automatic approval rule with WSUS, which may be useful as updates arrive at least once a day. See [To synchronize endpoint protection updates in standalone WSUS](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-definitions-wsus#to-synchronize-endpoint-protection-definition-updates-in-standalone-wsus) for more details.
**Use Group Policy to manage the update location:**
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
@ -67,54 +73,53 @@ You can manage how you obtain the protection updates with System Center Configur
4. Click **Policies** then **Administrative templates**.
5. Expand the tree to **Windows components > Windows Defender > Client Interface** and configure the following settings:
5. Expand the tree to **Windows components > Windows Defender > Signature updates** and configure the following settings:
1. Double-click the **Suppress all notifications** setting and set the option to **Enabled**. Click **OK**. This will disable all notifications shown by the Windows Defender client.
1. Double-click the **Define the order of sources for downloading definition updates** setting and set the option to **Enabled**.
1. Double-click the **Suppresses reboot notifications** setting and set the option to **Enabled**. Click **Ok**. This will disable notifications that ask the endpoint user to reboot the machine to perform additional cleaning.
2. Enter the order of sources, separated by a single pipe, for example: `InternalDefinitionUpdateServer|MicrosoftUpdateServer|MMPC`, shown in the following screenshot.
![Screenshot of group policy setting listing the order of sources](images/defender/wdav-order-update-sources.png)
2.In the Local Computer Policy tree, expand Computer Configuration, then Administrative Templates, then Windows Components, then Windows Defender.
3.Click on Signature Updates.
{\\unc1\\unc2} - where you define [unc] as the UNC shares.
**Use PowerShell and WMI cmdlets to manage the update location:**
Use the following PowerShell cmdlets to enable cloud-delivered protection:
```PowerShell
Set-MpPreference -MAPSReporting Advanced
Set-MpPreference -SubmitSamplesConsent 3
```
See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-windows-defender-antivirus) and [Defender cmdlets](https://technet.microsoft.com/en-us/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus.
Use the following WMI cmdlets to enable cloud-delivered protection:
```WMI
```
3. Click **OK**. This will set the order of protection update sources.
1. Double-click the **Define file shares for downloading definition updates** setting and set the option to **Enabled**.
2. Enter the file share source. If you have multiple sources, enter each source in the order they should be used, separated by a single pipe. Use [standard UNC notation](https://msdn.microsoft.com/en-us/library/gg465305.aspx) for denoting the path, for example: `\\host-name1\share-name\object-name|\\host-name2\share-name\object-name`. If you do not enter any paths then this source will be skipped when the VM downloads updates.
3. Click **OK**. This will set the order of file shares when that source is referenced in the **Define the order of sources...** group policy setting.
**Use Configuration Manager to manage the update location:**
1. See [Configure Definition Updates for Endpoint Protection](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-definition-updates) for details on configuring System Center Configuration Manager (current branch).
**Use Microsoft Intune to manage the update location:**
See [Configure Definition Updates for Endpoint Protection](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-definition-updates) for details on configuring System Center Configuration Manager (current branch).
### Configure protection update options
**Use PowerShell cmdlets to manage the update location:**
Use the following PowerShell cmdlets to set the update order.
```PowerShell
Set-MpPreference -SignatureFallbackOrder {LOCATION|LOCATION|LOCATION|LOCATION}
Set-MpPreference -SignatureDefinitionUpdateFileSharesSouce {\\UNC SHARE PATH|\\UNC SHARE PATH}
```
See the following for more information:
- [Set-MpPreference -SignatureFallbackOrder](https://technet.microsoft.com/en-us/itpro/powershell/windows/defender/set-mppreference#-signaturefallbackorder)
- [Set-MpPreference -SignatureDefinitionUpdateFileSharesSouce](https://technet.microsoft.com/en-us/itpro/powershell/windows/defender/set-mppreference#-signaturedefinitionupdatefilesharessources)
- [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-windows-defender-antivirus)
- [Defender cmdlets](https://technet.microsoft.com/en-us/library/dn433280.aspx)
**Use Windows Management Instruction (WMI) to manage the update location:**
Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/en-us/library/dn455323(v=vs.85).aspx) class for the following properties:
-schedule scans
-etc...
```WMI
SignatureFallbackOrder
SignatureDefinitionUpdateFileSharesSouce
```
See the following for more information:
- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx)
@ -122,31 +127,6 @@ Use the following WMI cmdlets to enable cloud-delivered protection:
## Opt-in to Microsoft Update on mobile computers without a WSUS connection
You can use Microsoft Update to keep definitions on mobile computers running Windows Defender in Windows 10 up to date when they are not connected to the corporate network. If the mobile computer doesn't have a [Windows Server Update Service](https://technet.microsoft.com/windowsserver/bb332157.aspx) (WSUS) connection, the signatures will still come from Microsoft Update. This means that signatures can be pushed down (via Microsoft Update) even if WSUS overrides Windows Update.
You need to opt-in to Microsoft Update on the mobile computer before it can retrieve the definition updates from Microsoft Update.
There are two ways you can opt-in to Microsoft Update in Windows Defender for Windows 10:
1. Use a VBScript to create a script, then run it on each computer in your network.
2. Manually opt-in every computer on your network through the **Settings** menu.
You can create a VBScript and run it on each computer on your network; this is an efficient way to opt-in to Microsoft Update.
**Use a VBScript to opt in to Microsoft Update**
1. Use the instructions in the MSDN article [Opt-In to Microsoft Update](https://msdn.microsoft.com/library/windows/desktop/aa826676.aspx) to create the VBScript.
2. Run the VBScript you created on each computer in your network.
You can manually opt-in each individual computer on your network to receive Microsoft Update.
**Manually opt-in to Microsoft Update**
1. Open **Windows Update** in **Update & security** settings on the computer you want to opt-in.
2. Click **Advanced** options.
3. Select the checkbox for **Give me updates for other Microsoft products when I update Windows**.

32
windows/keep-secure/WDAV-working/manage-updates-baselines-windows-defender-antivirus.md.md
View File

@ -1,7 +1,7 @@
---
title: Manage Windows Defender Antivirus updates and apply baselines
description:
keywords:
description: Manage how Windows Defender Antivirus receives protection and product updates.
keywords: updates, security baselines, protection, schedule updates, force updates, mobile updates, wsus
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
@ -18,14 +18,36 @@ author: iaanw
**Applies to:**
- Windows 10
- Windows 10, version 1703
**Audience**
- Network administrators
There are two types of updates related to keeping Windows Defender Antivirus:
1. Protection updates
2. Product updates
You can also apply [Windows security baselines](https://technet.microsoft.com/en-us/itpro/windows/keep-secure/windows-security-baselines) to quickly bring your endpoints up to a uniform level of protection.
## Protection updates
Windows Defender AV uses both [cloud-delivered protection](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) (also called the Microsoft Advanced Protection Service or MAPS) and periodically downloaded protection updates to provide protection. These protection updates are also known as "definitions" or "signature updates".
The cloud-based protection is “always-on” and requires an active connection to the Internet to function, while the protection updates generally occur once a day (although this can be configured). See the [Utilize Microsoft cloud-provided protection in Windows Defender Antivirus](utilize-microsoft-cloud-protection-windows-defender.md) topic for more details about enabling and configuring cloud-provided protection.
The following topics describe the management of downloaded protection updates:
- [Manage how protection updates are downloaded and applied](manage-protection-updates-windows-defender-antivirus.md)
- [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md)
- [Manage updates for endpoints that are out of date](manage-outdated-endpoints-windows-defender-antivirus.md)
- [Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md)
- [Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-windows-defender-antivirus.md)
## Product updates
Windows Defender AV requires monthly updates (known as "engine updates"), and will receive major feature updates alongside Windows 10 releases.
You can manage the distribution of updates through Windows Server Update Service (WSUS), with [System Center Configuration Manager](https://docs.microsoft.com/en-us/sccm/sum/understand/software-updates-introduction), or in the normal manner that you deploy Microsoft and Windows updates to endpoints in your network.
There are two parts of updating - definition updates and product updates.
You can also apply security baselines.

76
windows/keep-secure/WDAV-working/manage-updates-mobile-devices-vms-windows-defender-antivirus.md Normal file
View File

@ -0,0 +1,76 @@
---
title: Define how mobile devices are updated by Windows Defender AV
description: Manage how mobile devices, such as laptops, should be updated with Windows Defender AV protection updates.
keywords: updates, protection, schedule updates, battery, mobile device, laptop, notebook, opt-in, microsoft update, wsus, override
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
localizationpriority: medium
author: iaanw
---
# Manage updates for mobile devices and virtual machines (VMs)
**Applies to**
- Windows 10
**Audience**
- Network administrators
**Manageability available with**
- Group Policy
- System Center Configuration Manager
- PowerShell cmdlets
- Windows Management Instruction (WMI)
Mobile devices and VMs may require additional configuration to ensure performance is not impacted by updates.
There are a number of settings that are particularly useful for these devices:
- Opt-in to Microsoft Update on mobile computers without a WSUS connection
- Allow definition updates when running on battery power
Also see the [Deployment guide for Windows Defender Antivirus in a virtual desktop infrastructure (VDI) environment](deployment-vdi-windows-defender-antivirus.md).
### Opt-in to Microsoft Update on mobile computers without a WSUS connection
You can use Microsoft Update to keep definitions on mobile devices running Windows Defender AV up to date when they are not connected to the corporate network or don't otherwise have a WSUS connection.
This means that protection updates can be delivered to devices (via Microsoft Update) even if WSUS overrides Microsoft Update.
You can opt-in to Microsoft Update on the mobile device in one of the following ways:
1. Use a VBScript to create a script, then run it on each computer in your network.
2. Manually opt-in every computer on your network through the **Settings** menu.
**Use a VBScript to opt-in to Microsoft Update**
1. Use the instructions in the MSDN article [Opt-In to Microsoft Update](https://msdn.microsoft.com/library/windows/desktop/aa826676.aspx) to create the VBScript.
2. Run the VBScript you created on each computer in your network.
**Manually opt-in to Microsoft Update**
1. Open **Windows Update** in **Update & security** settings on the computer you want to opt-in.
2. Click **Advanced** options.
3. Select the checkbox for **Give me updates for other Microsoft products when I update Windows**.
## Related topics
- [Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md)
- [Update and manage Windows Defender in Windows 10](get-started-with-windows-defender-for-windows-10.md)
- [Troubleshoot Windows Defender in Windows 10](troubleshoot-windows-defender-in-windows-10.md)