Forum Discussion

2289820's avatar
2289820
Copper Contributor
Feb 02, 2024

Signature update finished. No updates needed. Co-managed device

I have an issue where Security Intelligence update is being delayed by a number of days and can't figure out why.

Currently testing migrating from another AV product to Defender for Endpoint(3rd Party AV has been uninstalled) current set up is;

Device Hybrid Joined

Co-management with SCCM / Intune. SCCM handling Windows Update. Intune managing Defender. (AV, Firewall, ASR, Web Content Filtering) all this works apart from Security Intelligence updates every hour as configured in Intune! 

 

Signature Updates appear to wait until they are over 72hrs before updating, and I can't force the update as I get the following:

C:\Program Files\Windows Defender>MpCmdRun.exe -SignatureUpdate
Signature update started . . .
Signature update finished. No updates needed

 

Amended SCCM default Antimalware policy sources to WinUpdate and MMPC and to update every 1hr incase these somehow are impacting 

 

Can anyone help what could be causing this delay please? 

 

MDEClientAnalyzer Results

SecurityIntelligenceVersion Please note that this machine is running with outdated security intelligence version. It is recommended to apply the most recent security intelligence version to ensure optimal protection and compatibility.

Defender AV Service Status Running
Windows Security Center Service Status Running
Windows Security Health Service Status Running
Defender AV mode Active
Defender Network Protection Service Running
Defender Network Protection Driver Running
Defender AV Platform Version 4.18.23110.3-0
Defender AV Security Intelligence Version 1.403.2882.0
Defender AV engine Version 1.1.23110.2
Defender Is Tamper Protected True
Defender Tamper Protection Source Intune
Defender Is Tamper Protection Exclusions Enabled False
Defender Network Protection Mode Block Mode

 

Enrollment Status Device is managed by MDM Agent (3)
Domain Joined YES
Azure AD Joined YES
Workplace Joined NO

MDM Enrollment state MDM enrolled

 


System-wide WinHTTP proxy Direct access (no proxy server).

Device has internet access and we'd like the device to update direct from the cloud, no Firewall blocks, device has access and does update sometime after 72hrs..

 

get-mppreference

SignatureFallbackOrder : MicrosoftUpdateServer|MMPC
SignatureFirstAuGracePeriod : 120
SignatureScheduleDay : 8
SignatureScheduleTime : 01:45:00
SignatureUpdateCatchupInterval : 1
SignatureUpdateInterval : 1
SubmitSamplesConsent : 1

 

Get-MpComputerStatus

NISSignatureAge : 4

 

Intune setting from AV Policy:

 

  • The4thLegacy's avatar
    The4thLegacy
    Copper Contributor
    Microsoft has not identified the issues yet. We have had a SEV A open with them over this exact topic with no resolution as of yet
    • 2289820's avatar
      2289820
      Copper Contributor
      The only way we could get this working was to deploy a workaround
      Set gpo to 0 for define the number of days before virus security intelligence is considered out of date.
      This workaround will come with other issues such as end user toast notifications and DFE device health reporting out of date.
      If anyone has a better solution please post as I'd be open to changes 😄

      Goodluck!! 🙂
      • abs168's avatar
        abs168
        Copper Contributor

        2289820 
        We have found some more information on this. We can confirm that the issue is caused by the registry settings in 

        HKLM:\Software\policies\Microsoft\Windows\WindowsUpdate

        There you have 4 keys:

        SetPolicyDrivenUpdateSourceForDriverUpdates 
        SetPolicyDrivenUpdateSourceForFeatureUpdates
        SetPolicyDrivenUpdateSourceForOtherUpdates
        SetPolicyDrivenUpdateSourceForQualityUpdates

        All of which are set to 1 by Configuration Manager if you have Co-Management enabled and the Workloads for Windows Update policies and Office Click-To-Run set to Configuration Manager (or Intune Pilot and the devices having the issues are not in that Pilot collection).
        Setting SetPolicyDrivenUpdateSourceForOtherUpdates to 0, restarting the Windows Update service and triggering the signature Update by any means, instantly updates your signatures. However according to this documentation: Update other Microsoft products - Windows Update for Business | Microsoft Learn, this also sets the updates for other products, which for us is a no go.

         

        Currently we are checking if setting the Defender Preference OobeEnableRtpAndSigUpdate to true with PowerShell and rebooting the device fixes the issue.

        Set-MpPreference -OobeEnableRtpAndSigUpdate $true

         This was suggested by MS support. I will get back to you once we have reliable results.

Resources