Microsoft Defender for Endpoint’s Safe Deployment Practices
Published Aug 15 2024 10:38 PM 19.3K Views
Microsoft

For customers it is key to understand that software vendors use safe deployment practices that help them build resilient processes that maintain productivity. This blog addresses Microsoft Defender for Endpoint’s architectural design and its approach to delivering security updates, which is grounded in Safe Deployment Practices (SDP).

 

Microsoft Defender for Endpoint helps protect organizations against sophisticated adversaries while optimizing for resiliency, performance, and compatibility, following best practices for managing security tools in Windows.

 

Security tools running on Windows can balance security and reliability through careful product design, as described in this post by David Weston. Security vendors can use optimized sensors which operate within kernel mode for data collection and enforcement, limiting the risk of reliability issues. The remainder of the security solution, including managing updates, loading content, and user interaction, can occur isolated within user mode, where any reliability issues are less impactful. This architecture enables Defender for Endpoint to limit its reliance on kernel mode while protecting customers in real-time.

 

Tina_Coll_0-1723759733428.png

Image 1: Defender for Endpoint integration into Windows architecture

 

In the remainder of this blog post, we outline Microsoft’s use of safe deployment practices for Defender for Endpoint, our 1st party endpoint protection solution.

 

Defender for Endpoint applies safe deployment practices to two distinct update mechanisms:

 

  1. Software and driver updates that are updated monthly (and potentially can update kernel-mode components).
  2. Security intelligence and detection logic updates that may be updated multiple times per day and apply only to user-mode components.

This blog outlines in-depth how Defender for Endpoint approaches SDP and what customers can do to manage their own roll-out process for an additional layer of control.

 

1. Software and driver updates

Defender for Endpoint releases monthly software and driver updates that add new functionality, improve existing features, and resolve bugs. Defender for Endpoint’s kernel drivers capture system-wide signals like process execution, file creation, and network activity. These drivers are updated through Windows Update, over a gradual and staged deployment process after spending weeks in stabilization and testing. The deployment evaluation monitors key metrics like reliability, performance, battery, application compatibility, and more across hardware and software configurations. 

 

Tina_Coll_0-1723761339882.png

Image 2: Process for rolling out software and driver updates for Defender for Endpoint

 

Microsoft safeguards

All code and content changes go through engineering release gates along with extensive validations and stability testing. After the certification and validation process, Microsoft ships the updates through multiple groups of devices known as stabilization rings. The first stabilization ring targets Microsoft’s hundreds of thousands of employees and millions of internal devices. This helps ensure we discover and address issues first, before customers.

 

Within each ring, we closely monitor quality signals such as product behavior and performance, false positives, as well as functional and reliability issues, before proceeding to roll out the update to a broader set of devices. Customers can control the rings that are assigned to their device groups, including early access groups, to see how each update may interact with their devices and provide feedback to Microsoft before it is released.

 

Once internal testing is successfully completed, Microsoft then releases the updates externally in a staggered manner to ensure stability. During this time, Microsoft continuously monitors the rollout. That way we can quickly respond and remotely resolve any issues by reverting or reissuing update packages.


Customer controls

In addition to Microsoft’s safe deployment practices, organizations can also manage monthly updates with their own safe deployment policies through various controls:

  • Control the delivery of agent updates to their devices by their device groups and the timing of updates.
  • Apply patch management software and practices for security component updates that can also arrive in the form of monthly Latest Cumulative Updates (LCUs).
  • Use manual or automated rollback options to revert or reset components to a last known good state. 

 

2. Security intelligence and detection logic updates

In addition to monthly code updates, Microsoft releases security intelligence updates which are installed on devices to supplement the real-time local and cloud-based machine learning models, behavior analysis, and heuristics that enable Defender for Endpoint to neutralize the latest known cyberthreats.

 

Given the high frequency at which these updates need to be delivered to protect customers, it’s not possible to deploy these through the same deployment process. Therefore, Defender for Endpoint does not include kernel changes in intelligence updates. Instead, daily updates are only delivered to components that run in the user mode of the operating system. This approach helps mitigate the risk of these more frequent updates from impacting the broader operating system and, in the unlikely event of an error, limits the risk of significant negative effects like system crashes and ensures devices can be automatically recovered.

 

Microsoft safeguards

Similar to the process for software and driver updates, Microsoft ships security intelligence updates after extensive testing and rolls them out starting with internal devices, early access customers, and then releases them externally in a controlled, gradual manner. We continually monitor telemetry and can mitigate issues through the cloud in minutes.

 

Customer controls

Customers can also manage security intelligence updates with their own safe deployment policies through various controls:

  • Stage updates through corporate networks or software management solutions.
  • Apply updates at a lower frequency for critical systems. Daily releases can be applied at a lower frequency for certain device groups, including servers critical to running your infrastructure.
  • Use rollback controls. As a last resort, it's possible to revert or reset components to a last known good state using rollback controls.

 

Microsoft has long invested in safe deployment practices and established a robust SDP model in how we deliver updates to customers of Defender for Endpoint. In addition, customers have full control over how updates are delivered and how controls are applied to their device estate. This model of shared control helps ensure security and resiliency. 

 

Resources

  • To start a free, 90-day trial of Defender for Endpoint, sign up here.
  • To learn more about how you can control rollout of Defender for Endpoint’s updates and join early access groups, check out these resources for Windows, Mac, and Linux.

 

1 Comment
Co-Authors
Version history
Last update:
‎Aug 15 2024 06:08 PM
Updated by: