Forum Discussion
Signature update finished. No updates needed. Co-managed device
I have an issue where Security Intelligence update is being delayed by a number of days and can't figure out why.
Currently testing migrating from another AV product to Defender for Endpoint(3rd Party AV has been uninstalled) current set up is;
Device Hybrid Joined
Co-management with SCCM / Intune. SCCM handling Windows Update. Intune managing Defender. (AV, Firewall, ASR, Web Content Filtering) all this works apart from Security Intelligence updates every hour as configured in Intune!
Signature Updates appear to wait until they are over 72hrs before updating, and I can't force the update as I get the following:
C:\Program Files\Windows Defender>MpCmdRun.exe -SignatureUpdate
Signature update started . . .
Signature update finished. No updates needed
Amended SCCM default Antimalware policy sources to WinUpdate and MMPC and to update every 1hr incase these somehow are impacting
Can anyone help what could be causing this delay please?
MDEClientAnalyzer Results
SecurityIntelligenceVersion Please note that this machine is running with outdated security intelligence version. It is recommended to apply the most recent security intelligence version to ensure optimal protection and compatibility.
Defender AV Service Status Running
Windows Security Center Service Status Running
Windows Security Health Service Status Running
Defender AV mode Active
Defender Network Protection Service Running
Defender Network Protection Driver Running
Defender AV Platform Version 4.18.23110.3-0
Defender AV Security Intelligence Version 1.403.2882.0
Defender AV engine Version 1.1.23110.2
Defender Is Tamper Protected True
Defender Tamper Protection Source Intune
Defender Is Tamper Protection Exclusions Enabled False
Defender Network Protection Mode Block Mode
Enrollment Status Device is managed by MDM Agent (3)
Domain Joined YES
Azure AD Joined YES
Workplace Joined NO
MDM Enrollment state MDM enrolled
System-wide WinHTTP proxy Direct access (no proxy server).
Device has internet access and we'd like the device to update direct from the cloud, no Firewall blocks, device has access and does update sometime after 72hrs..
get-mppreference
SignatureFallbackOrder : MicrosoftUpdateServer|MMPC
SignatureFirstAuGracePeriod : 120
SignatureScheduleDay : 8
SignatureScheduleTime : 01:45:00
SignatureUpdateCatchupInterval : 1
SignatureUpdateInterval : 1
SubmitSamplesConsent : 1
Get-MpComputerStatus
NISSignatureAge : 4
Intune setting from AV Policy:
- ryuacedCopper Contributor
- The4thLegacyCopper Contributor
We have the same issue. Need to know resolution ASAPryuaced
- The4thLegacyCopper ContributorMicrosoft has not identified the issues yet. We have had a SEV A open with them over this exact topic with no resolution as of yet
- 2289820Copper Contributor
The4thLegacy thanks for the reply, if you do get a fix on your Sev ticket please could you let us know here?
- abs168Copper Contributor
2289820, The4thLegacyHi we are facing exactly the same issue. Did you or anyone else ever find the issue and where able to fix it?
- 2289820Copper ContributorThe only way we could get this working was to deploy a workaround
Set gpo to 0 for define the number of days before virus security intelligence is considered out of date.
This workaround will come with other issues such as end user toast notifications and DFE device health reporting out of date.
If anyone has a better solution please post as I'd be open to changes 😄
Goodluck!! 🙂- abs168Copper Contributor
2289820
We have found some more information on this. We can confirm that the issue is caused by the registry settings inHKLM:\Software\policies\Microsoft\Windows\WindowsUpdate
There you have 4 keys:
SetPolicyDrivenUpdateSourceForDriverUpdates
SetPolicyDrivenUpdateSourceForFeatureUpdates
SetPolicyDrivenUpdateSourceForOtherUpdates
SetPolicyDrivenUpdateSourceForQualityUpdatesAll of which are set to 1 by Configuration Manager if you have Co-Management enabled and the Workloads for Windows Update policies and Office Click-To-Run set to Configuration Manager (or Intune Pilot and the devices having the issues are not in that Pilot collection).
Setting SetPolicyDrivenUpdateSourceForOtherUpdates to 0, restarting the Windows Update service and triggering the signature Update by any means, instantly updates your signatures. However according to this documentation: Update other Microsoft products - Windows Update for Business | Microsoft Learn, this also sets the updates for other products, which for us is a no go.Currently we are checking if setting the Defender Preference OobeEnableRtpAndSigUpdate to true with PowerShell and rebooting the device fixes the issue.
Set-MpPreference -OobeEnableRtpAndSigUpdate $true
This was suggested by MS support. I will get back to you once we have reliable results.