Forum Discussion

Christopher__'s avatar
Christopher__
Copper Contributor
Sep 01, 2022
Solved

Update Confusion

Can someone help me understand how MDE/AV updates? I thought signatures, platform, and engine updates were handled though normal Windows update processes. However, I am now seeing articles like this ...
  • Jonhed's avatar
    Jonhed
    Sep 04, 2022

    The new product category listed in your linked article that is called "Defender for Endpoint" only targets the new Unified Agent in Windows Server 2012 R2/2016.

    These 2 platforms do not come with MsSense out of the box(not included in the OS) and therefore require separate updates. This is why the Defender for Endpoint product category is new.

    Windows 10/11, Windows server 2019 and above come with MsSense integrated on an OS level, so my understanding is that MsSense updates are included in the regular OS security updates.

Christopher__'s avatar
Christopher__
Copper Contributor
Sep 02, 2022

rahuljindal

 

Thanks for your response! Can you please help me understand what those MDE update classifications are? So far, I know about the following:

  1. AV Intelligence Updates
    1. Update Channel: KB2267602
    2. These are pushed out via SCCM/ConfigManager
    3. Reference: https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/manage-updates-baselines-microsoft-defender-antivirus?view=o365-worldwide#security-intelligence-updates
    4. Note: Cloud Protection also delivers dynamic updates that don't fall within the scope of KB2267602
  2. AV Engine Updates
    1. These are included in the previous intelligence updates and are released on a monthly cadence.
    2. Reference: https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/manage-updates-baselines-microsoft-defender-antivirus?view=o365-worldwide#security-intelligence-updates:~:text=Engine%20updates%20are%20included%20with%20security%20intelligence%20updates%20and%20are%20released%20on%20a%20monthly%20cadence.
  3. AV Platform Update
    1. Monthly updates released via KB4052623
      1. These are pushed out via SCCM/ConfigManager
    2. Reference: https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/manage-updates-baselines-microsoft-defender-antivirus?view=o365-worldwide#product-updates
  4.  EDR Sensor (MsSenes) Updates
    1. This is where I am struggling a little bit. The article in my original posts says the Defender for Endpoint EDR sensor update feature in ConfigManager/SCCM/WSUS is new. 
      1. How were these updates handled before this new feature?
      2. Does this only apply to "older" operating systems with the new unified agent?
      3. Overall, how are we supposed to handle updating, patching, etc. the EDR sensor (MsSense). 
Jonhed's avatar
Jonhed
Iron Contributor
Sep 04, 2022

The new product category listed in your linked article that is called "Defender for Endpoint" only targets the new Unified Agent in Windows Server 2012 R2/2016.

These 2 platforms do not come with MsSense out of the box(not included in the OS) and therefore require separate updates. This is why the Defender for Endpoint product category is new.

Windows 10/11, Windows server 2019 and above come with MsSense integrated on an OS level, so my understanding is that MsSense updates are included in the regular OS security updates.

Resources