Forum Discussion

Craig_Ob's avatar
Craig_Ob
Copper Contributor
May 06, 2020

Defender definition updates

Hi All. Been using Defender ATP for a few weeks now, I have two questions. 1) Do definitions updates still need to be pushed to the PC's via my SCCM patching system or does ATP take care of those ...
Joe Stocker's avatar
Joe Stocker
Bronze Contributor
May 11, 2020
SCCM (SCEP) is only needed for "down level" operating systems such as Windows Server 2012 R2 and older, or Windows 7 or 8.1.
Beginning in Windows 10 and Windows Server 2016, Microsoft Defender is natively built into the operating system, so there is no need to have a SCEP agent deployed to manage AV definitions.
But yes, SCEP is required for older OS, and therefore you need SCCM to distribute definition updates to those operating systems.

To learn more about MDATP, here are some of the available resources.

Microsoft Product Group Webinar on April 2nd:
https://youtu.be/U7jWbXx_bmE

There were 18 MDATP Sessions at Ignite that you can watch:
https://myignite.techcommunity.microsoft.com/sessions (Search for Defender)

MDATP Resources on Github:
https://github.com/alexverboon/MDATP#microsoft-blog-posts-on-microsoft-advanced-threat-protection

MDATP Documentation:
https://docs.microsoft.com/en-us/windows/security/threat-protection/

MDATP Best Practices (My article)
https://www.thecloudtechnologist.com/mdatp-best-practices/

MDATP PowerShell Module
https://github.com/alexverboon/PSMDATP

MDATP Tutorials
https://securitycenter.windows.com/tutorials/all

MDATP Training
https://docs.microsoft.com/en-us/learn/modules/m365-security-threat-protect/

MDATP Blog
https://techcommunity.microsoft.com/t5/microsoft-defender-atp/bg-p/MicrosoftDefenderATPBlog

Certification Track
https://www.microsoft.com/microsoft-365/partners/tech-hub/security
  • khelbo's avatar
    khelbo
    Copper Contributor
    Sep 17, 2021
    Joe Stocker is there any way you can tell which "Security intelligence version"/definiton the devices are running from the securitycenter.windows.com or get a report on devices that are not update within the last week?
    • SteBeSec's avatar
      SteBeSec
      Iron Contributor
      Sep 18, 2021

      Unfortunately not direct, but you could use an Advanced Hunting Query: https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/master/General%20queries/MD%20AV%20Signature%20and%20Platform%20Version.md

      If you are Using Microsoft Endpoint Manager (Itune) or SCCM, you can check for the Definition- and Platform Version there: https://deviceadvice.io/2020/12/07/manage-and-report-on-defender-antivirus-signature-update-versions-through-microsoft-endpoint-manager/

      You could also build something yourself using Powershell Commandlets (Get-MpComputerStatus): https://docs.microsoft.com/en-us/powershell/module/defender/?view=windowsserver2019-ps

      About your Question Nr. 2: Unfortunately, the best I know is that you read alle the available stuff in Microsoft Docs around Defender for Endpoint.

      GReat Ressources are:
      https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/become-a-microsoft-defender-for-endpoint-ninja/ba-p/1515647
      https://github.com/alexverboon/MDATP#microsoft-blog-posts-on-microsoft-advanced-threat-protection

Resources