SOLVED

GPO to auto update defender AV platform version on windows servers

Copper Contributor

We have 1200+ windows servers (2012R2, 2016 and 2019) and all the servers are on boarded to MDE however when checking defender AV platform version report on security portal, I can see all servers are running on different defender AV platform versions. tried to find any GPO steps which I can create to make sure all the servers gets defender AV platform updates automatically however could not find any GPO way to achieve this. We are not managing servers by SCCM or WSUS update hence GPO is the only way forward for us.

During my own research I found that MS releases defender AV platform update under KB4052623 but could not get any way to make sure this get installed automatically on all the servers.

 

3 Replies

@Cloud0009 

Platform updates are received via Windows Update/Microsoft Update along with all other OS updates, so I think the only easy option here is to configure automatic updates for the whole OS.

 

If you do not want this to happen, I guess you might be able to configure some sort of script to download said KB and install, but not sure if there is a download link that does not change every month.

Also do note that 2012R2 and 2016 has sensor updates on top of Platform/Intelligence updates.

(listed as the product Defender for Endpoint in Microsoft Update catalog)

Thank you for the response on this however I wanted to clarify below:
When I pull Defender AV report from endpoint manager portal I can see all my devices running on different platforms and versions of defender AV as below:

AntiMalwareVersion EngineVersion SignatureVersion
4.18.2210.5 1.1.19800.4 1.379.114.0
4.18.2209.7 1.1.19700.3 1.377.735.0
4.18.2210.5 1.1.19800.4 1.379.114.0
4.18.2111.5 1.1.18800.4 1.355.2057.0
4.18.2210.5 1.1.19800.4 1.379.114.0
4.18.2203.5 1.1.19200.5 1.363.1631.0
4.18.2201.10 1.1.18900.3 1.359.1176.0
4.18.2111.5 1.1.18800.4 1.355.2104.0
4.18.2210.5 1.1.19800.4 1.379.114.0
4.18.2207.7 1.1.19600.3 1.375.670.0
4.18.2210.5 1.1.19800.4 1.379.122.0
4.18.2001.10 0.0.0.0 0.0.0.0
4.18.2210.5 1.1.19800.4 1.379.122.0
4.18.2210.5 1.1.19800.4 1.379.114.0
4.18.2210.5 1.1.19800.4 1.379.71.0
4.18.2210.5 1.1.19800.4 1.379.134.0
4.18.2111.5 1.1.18800.4 1.355.738.0
4.18.2104.10 1.1.17300.4 1.321.69.0
4.18.2210.5 1.1.19800.4 1.379.114.0
Hence wanted to know how can we make sure all our endpoints and servers (on barded to MDE) are getting latest updates.
If there there is any GPO way by which we can push all the defender AV updates (antimalware, signature and version) to all the servers?

best response confirmed by Cloud0009 (Copper Contributor)
Solution
There is no way to push all types of MDAV updates.

If you require all versions to update (AntilmalwareVersion included), you would need to enable Automatic updates for the OS itself.
https://learn.microsoft.com/en-us/windows-server/administration/windows-server-update-services/deplo...

This will get all types of updates available for the OS itself, MDAV included, assuming the servers can get updates from the Microsoft Update service online, or from an internal WSUS server if you have that setup.
1 best response

Accepted Solutions
best response confirmed by Cloud0009 (Copper Contributor)
Solution
There is no way to push all types of MDAV updates.

If you require all versions to update (AntilmalwareVersion included), you would need to enable Automatic updates for the OS itself.
https://learn.microsoft.com/en-us/windows-server/administration/windows-server-update-services/deplo...

This will get all types of updates available for the OS itself, MDAV included, assuming the servers can get updates from the Microsoft Update service online, or from an internal WSUS server if you have that setup.

View solution in original post