Forum Discussion
Microsoft Defender On-Premise (No Internet connectivity)
- Yes, it is possible to manage it using Microsoft Endpoint Configuration Manager and you many manage it on-premise. It is possible to manage it using Group Policy and PowerShell but you have some challenges. Offline updating definition is possible but you have to download the definition updates everyday and then deploy them or add them to share files. Take a look at:
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/manage-mde-post-migration-configuration-manager
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/manage-mde-post-migration-configuration-manager
- It is possible to manage it using Group Policy and PowerShell but you have some challenges.
Using Powershell will give you the option to run scripts once a day to get the *.exe file from a share, and execute it once a day. You'll be blocked from doing this if your org doesn't allow storing network passwords locally within the scheduler so the install scripts can run.
Probably. your best bet is using MS Active Directory where you can deploy .msi files to update computers or userNames. You'll need to get a .exe to .msi wrapper to convert the file to .msi, or AD will not install it.
Offline updating definition is possible but you have to download the definition updates everyday and then deploy them or add them to share files. Reza_AmeriThanks for the reply! Is this also possible for a hybrid solution? About 10% of our devices are offline, the rest is online. So the cloud solution would be awesome for the majority of devices. Also, we don't use SCCM, so for just the 10% of devices policies and powershell would be fine.
For Offline Devices (Local Management):
Periodically download the latest Defender security intelligence updates from the Microsoft website.
Use a local network share or removable media to distribute these updates to the offline devices.
Create Update Scripts: Write PowerShell scripts to automate the installation of updates on offline devices. These scripts can be run manually or scheduled to run at regular intervals when devices are connected to the local network.
Here's an example of a Powershell script:
$updateSource = "\\server\share\DefenderDefinitions"
Update-MpSignature -UpdateSource Folder -SourcePath $updateSource
Once you got the script working, Set up scheduled tasks on offline devices to run the PowerShell script at regular intervals, if the device is connected to the offline local network.
If you're running an off-line instance of MS AD server, Configure Group Policy in AD to point to a local network share for updates. This allows offline devices to check a local source for the latest virus definitions.- ideal hybrid model would be using Intune and SCCM and it works well. However, in your scenario, you may manage them with could solutions like Intune and for those 10% write manual script or modify registry but without SCCM you will have to do a lot of manual tasks.
- Are there resources available for scenarios without SCCM? I read a lot about scripts and manual tasks, but can hardly find any examples. It would be great if we could see what the manual solution would involve before deciding for SCCM.
