Forum Discussion
GPO to auto update defender AV platform version on windows servers
We have 1200+ windows servers (2012R2, 2016 and 2019) and all the servers are on boarded to MDE however when checking defender AV platform version report on security portal, I can see all servers are...
- There is no way to push all types of MDAV updates.
If you require all versions to update (AntilmalwareVersion included), you would need to enable Automatic updates for the OS itself.
https://learn.microsoft.com/en-us/windows-server/administration/windows-server-update-services/deploy/4-configure-group-policy-settings-for-automatic-updates#configure-automatic-updates
This will get all types of updates available for the OS itself, MDAV included, assuming the servers can get updates from the Microsoft Update service online, or from an internal WSUS server if you have that setup.
Platform updates are received via Windows Update/Microsoft Update along with all other OS updates, so I think the only easy option here is to configure automatic updates for the whole OS.
If you do not want this to happen, I guess you might be able to configure some sort of script to download said KB and install, but not sure if there is a download link that does not change every month.
Also do note that 2012R2 and 2016 has sensor updates on top of Platform/Intelligence updates.
(listed as the product Defender for Endpoint in Microsoft Update catalog)
Thank you for the response on this however I wanted to clarify below:
When I pull Defender AV report from endpoint manager portal I can see all my devices running on different platforms and versions of defender AV as below:
AntiMalwareVersion EngineVersion SignatureVersion
4.18.2210.5 1.1.19800.4 1.379.114.0
4.18.2209.7 1.1.19700.3 1.377.735.0
4.18.2210.5 1.1.19800.4 1.379.114.0
4.18.2111.5 1.1.18800.4 1.355.2057.0
4.18.2210.5 1.1.19800.4 1.379.114.0
4.18.2203.5 1.1.19200.5 1.363.1631.0
4.18.2201.10 1.1.18900.3 1.359.1176.0
4.18.2111.5 1.1.18800.4 1.355.2104.0
4.18.2210.5 1.1.19800.4 1.379.114.0
4.18.2207.7 1.1.19600.3 1.375.670.0
4.18.2210.5 1.1.19800.4 1.379.122.0
4.18.2001.10 0.0.0.0 0.0.0.0
4.18.2210.5 1.1.19800.4 1.379.122.0
4.18.2210.5 1.1.19800.4 1.379.114.0
4.18.2210.5 1.1.19800.4 1.379.71.0
4.18.2210.5 1.1.19800.4 1.379.134.0
4.18.2111.5 1.1.18800.4 1.355.738.0
4.18.2104.10 1.1.17300.4 1.321.69.0
4.18.2210.5 1.1.19800.4 1.379.114.0
Hence wanted to know how can we make sure all our endpoints and servers (on barded to MDE) are getting latest updates.
If there there is any GPO way by which we can push all the defender AV updates (antimalware, signature and version) to all the servers?
When I pull Defender AV report from endpoint manager portal I can see all my devices running on different platforms and versions of defender AV as below:
AntiMalwareVersion EngineVersion SignatureVersion
4.18.2210.5 1.1.19800.4 1.379.114.0
4.18.2209.7 1.1.19700.3 1.377.735.0
4.18.2210.5 1.1.19800.4 1.379.114.0
4.18.2111.5 1.1.18800.4 1.355.2057.0
4.18.2210.5 1.1.19800.4 1.379.114.0
4.18.2203.5 1.1.19200.5 1.363.1631.0
4.18.2201.10 1.1.18900.3 1.359.1176.0
4.18.2111.5 1.1.18800.4 1.355.2104.0
4.18.2210.5 1.1.19800.4 1.379.114.0
4.18.2207.7 1.1.19600.3 1.375.670.0
4.18.2210.5 1.1.19800.4 1.379.122.0
4.18.2001.10 0.0.0.0 0.0.0.0
4.18.2210.5 1.1.19800.4 1.379.122.0
4.18.2210.5 1.1.19800.4 1.379.114.0
4.18.2210.5 1.1.19800.4 1.379.71.0
4.18.2210.5 1.1.19800.4 1.379.134.0
4.18.2111.5 1.1.18800.4 1.355.738.0
4.18.2104.10 1.1.17300.4 1.321.69.0
4.18.2210.5 1.1.19800.4 1.379.114.0
Hence wanted to know how can we make sure all our endpoints and servers (on barded to MDE) are getting latest updates.
If there there is any GPO way by which we can push all the defender AV updates (antimalware, signature and version) to all the servers?
- There is no way to push all types of MDAV updates.
If you require all versions to update (AntilmalwareVersion included), you would need to enable Automatic updates for the OS itself.
https://learn.microsoft.com/en-us/windows-server/administration/windows-server-update-services/deploy/4-configure-group-policy-settings-for-automatic-updates#configure-automatic-updates
This will get all types of updates available for the OS itself, MDAV included, assuming the servers can get updates from the Microsoft Update service online, or from an internal WSUS server if you have that setup.
