Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Defender definition updates

Copper Contributor

Hi All. Been using Defender ATP for a few weeks now, I have two questions.

1) Do definitions updates still need to be pushed to the PC's via my SCCM patching system or does ATP take care of those and distribute them to registered clients?
2) Are there any recommended books, courses, or resources available to learn more about ATP?

Thanks 

3 Replies
SCCM (SCEP) is only needed for "down level" operating systems such as Windows Server 2012 R2 and older, or Windows 7 or 8.1.
Beginning in Windows 10 and Windows Server 2016, Microsoft Defender is natively built into the operating system, so there is no need to have a SCEP agent deployed to manage AV definitions.
But yes, SCEP is required for older OS, and therefore you need SCCM to distribute definition updates to those operating systems.

To learn more about MDATP, here are some of the available resources.

Microsoft Product Group Webinar on April 2nd:
https://youtu.be/U7jWbXx_bmE

There were 18 MDATP Sessions at Ignite that you can watch:
https://myignite.techcommunity.microsoft.com/sessions (Search for Defender)

MDATP Resources on Github:
https://github.com/alexverboon/MDATP#microsoft-blog-posts-on-microsoft-advanced-threat-protection

MDATP Documentation:
https://docs.microsoft.com/en-us/windows/security/threat-protection/

MDATP Best Practices (My article)
https://www.thecloudtechnologist.com/mdatp-best-practices/

MDATP PowerShell Module
https://github.com/alexverboon/PSMDATP

MDATP Tutorials
https://securitycenter.windows.com/tutorials/all

MDATP Training
https://docs.microsoft.com/en-us/learn/modules/m365-security-threat-protect/

MDATP Blog
https://techcommunity.microsoft.com/t5/microsoft-defender-atp/bg-p/MicrosoftDefenderATPBlog

Certification Track
https://www.microsoft.com/microsoft-365/partners/tech-hub/security
@Joe Stocker is there any way you can tell which "Security intelligence version"/definiton the devices are running from the securitycenter.windows.com or get a report on devices that are not update within the last week?

Unfortunately not direct, but you could use an Advanced Hunting Query: https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/master/General%20queries/MD...

If you are Using Microsoft Endpoint Manager (Itune) or SCCM, you can check for the Definition- and Platform Version there: https://deviceadvice.io/2020/12/07/manage-and-report-on-defender-antivirus-signature-update-versions...

You could also build something yourself using Powershell Commandlets (Get-MpComputerStatus): https://docs.microsoft.com/en-us/powershell/module/defender/?view=windowsserver2019-ps

About your Question Nr. 2: Unfortunately, the best I know is that you read alle the available stuff in Microsoft Docs around Defender for Endpoint.

GReat Ressources are:
https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/become-a-microsoft-defender-f...
https://github.com/alexverboon/MDATP#microsoft-blog-posts-on-microsoft-advanced-threat-protection