Forum Discussion
Solved
Microsoft Defender On-Premise (No Internet connectivity)
Hello,
Is there a way to mange/configure/administer MS Defender clients in an On-Premise environment with no connection to Azure cloud management portals please?
Many Thanks,
Graeme
- Yes, it is possible to manage it using Microsoft Endpoint Configuration Manager and you many manage it on-premise. It is possible to manage it using Group Policy and PowerShell but you have some challenges. Offline updating definition is possible but you have to download the definition updates everyday and then deploy them or add them to share files. Take a look at:
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/manage-mde-post-migration-configuration-manager
- Yes, it is possible to manage it using Microsoft Endpoint Configuration Manager and you many manage it on-premise. It is possible to manage it using Group Policy and PowerShell but you have some challenges. Offline updating definition is possible but you have to download the definition updates everyday and then deploy them or add them to share files. Take a look at:
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/manage-mde-post-migration-configuration-manager- It is possible to manage it using Group Policy and PowerShell but you have some challenges.
Using Powershell will give you the option to run scripts once a day to get the *.exe file from a share, and execute it once a day. You'll be blocked from doing this if your org doesn't allow storing network passwords locally within the scheduler so the install scripts can run.
Probably. your best bet is using MS Active Directory where you can deploy .msi files to update computers or userNames. You'll need to get a .exe to .msi wrapper to convert the file to .msi, or AD will not install it.
Offline updating definition is possible but you have to download the definition updates everyday and then deploy them or add them to share files. Reza_AmeriThanks for the reply! Is this also possible for a hybrid solution? About 10% of our devices are offline, the rest is online. So the cloud solution would be awesome for the majority of devices. Also, we don't use SCCM, so for just the 10% of devices policies and powershell would be fine.
For Offline Devices (Local Management):
Periodically download the latest Defender security intelligence updates from the Microsoft website.
Use a local network share or removable media to distribute these updates to the offline devices.
Create Update Scripts: Write PowerShell scripts to automate the installation of updates on offline devices. These scripts can be run manually or scheduled to run at regular intervals when devices are connected to the local network.
Here's an example of a Powershell script:
$updateSource = "\\server\share\DefenderDefinitions"
Update-MpSignature -UpdateSource Folder -SourcePath $updateSource
Once you got the script working, Set up scheduled tasks on offline devices to run the PowerShell script at regular intervals, if the device is connected to the offline local network.
If you're running an off-line instance of MS AD server, Configure Group Policy in AD to point to a local network share for updates. This allows offline devices to check a local source for the latest virus definitions.
- If you are planning to use Defender as only AV solution then yes you can manage on-prem endpoints without connection to MDE but still you need to find a way to download Defender security intelligence and platform updates. If you are planning to use Defender as EDR+NGAV solution then you must work on allowing your on-prem endpoints to connect MDE urls. note:Proxy can be configured to connect on-prem endpoints to MDE cloud services,
You can manage on-premises endpoints without a direct connection to Microsoft Defender for Endpoint (MDE). However, to keep these endpoints protected, you still need to ensure they receive regular Defender security intelligence (virus definitions) and platform updates.
These updates must be manually downloaded and distributed to the endpoints, typically using a local network share, USB drives, or other offline methods.
Regularly download the latest Defender security intelligence updates and platform updates from the Microsoft website, burn to DVD, then sneaker net over to your closed network for install.Microsoft Defender for Endpoint (MDE) primarily operates as a cloud-based service, and there isn't an official on-premises deployment model for MDE that mirrors the full functionality of the cloud version. However, for environments that require limited or no internet access, Microsoft offers Microsoft Defender Antivirus with on-premises management capabilities, and you can use Microsoft Endpoint Configuration Manager (MECM) or Group Policy for more controlled, on-premises scenarios.
I would like to know this as well. We are currently looking into switching to Defender. Quite a few devices in are network are offline. These include Windows 10 machines. From what I've read in another topic, these W10 devices can be problematic in an offline configuration. Is this still the case or are there solutions in place to counter this?
Set up a local source for virus definitions on the network (such as a file server). Configure Microsoft Defender Antivirus to check this local source first before attempting to connect to the internet. This can be done via Group Policy or registry settings.
From an automated scripting perspective, You'll have to find a way to install all those *.exe virus definition files into windows endpoints. Defender has some configuration options, and one is to point to a virus definition file, and program defender to download and install that file on a regular basis. Can you use defender to install *.exe virus definition files you get off the Microsoft website, to all your endpoints to automate this process?
No, the approach will not work with the standalone .exe virus definition files you get off the Microsoft website.
Microsoft Defender Antivirus uses a different mechanism to update virus definitions from local or UNC paths, which typically involves specific file formats such as .vdm or .cab files, rather than standalone .exe files.
To have Microsoft Defender point to an update file on your network, You'll need to extract the .cab files and then copy them to the network file server.You can create a startup or logon script in PowerShell or batch that extracts and installs the .cab file. This script can then be deployed via a GPO.
Example PowerShell script:
$cabPath = "\\server\share\mpam-fe.cab"
$extractPath = "C:\DefenderDefinitions"
# Extract the .cab file
Expand-Archive -Path $cabPath -DestinationPath $extractPathOnce you have the .cab file extracted, point MS defender to use this location for its repo spot.
