Tech Community Live: Microsoft Security
Dec 03 2024, 07:00 AM - 11:30 AM (PST)
Microsoft Tech Community
SOLVED

Microsoft Defender On-Premise (No Internet connectivity)

Copper Contributor

Hello,

 

Is there a way to mange/configure/administer  MS Defender clients in an On-Premise environment with no connection to Azure cloud management portals please?

 

Many Thanks,

Graeme

14 Replies

I would like to know this as well. We are currently looking into switching to Defender. Quite a few devices in are network are offline. These include Windows 10 machines. From what I've read in another topic, these W10 devices can be problematic in an offline configuration. Is this still the case or are there solutions in place to counter this?

If you are planning to use Defender as only AV solution then yes you can manage on-prem endpoints without connection to MDE but still you need to find a way to download Defender security intelligence and platform updates. If you are planning to use Defender as EDR+NGAV solution then you must work on allowing your on-prem endpoints to connect MDE urls. note:Proxy can be configured to connect on-prem endpoints to MDE cloud services,
best response confirmed by SecEngLayer2 (Copper Contributor)
Solution
Yes, it is possible to manage it using Microsoft Endpoint Configuration Manager and you many manage it on-premise. It is possible to manage it using Group Policy and PowerShell but you have some challenges. Offline updating definition is possible but you have to download the definition updates everyday and then deploy them or add them to share files. Take a look at:

https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/manage-mde-post-migration-...

@Reza_AmeriThanks for the reply! Is this also possible for a hybrid solution? About 10% of our devices are offline, the rest is online. So the cloud solution would be awesome for the majority of devices. Also, we don't use SCCM, so for just the 10% of devices policies and powershell would be fine.

ideal hybrid model would be using Intune and SCCM and it works well. However, in your scenario, you may manage them with could solutions like Intune and for those 10% write manual script or modify registry but without SCCM you will have to do a lot of manual tasks.
Are there resources available for scenarios without SCCM? I read a lot about scripts and manual tasks, but can hardly find any examples. It would be great if we could see what the manual solution would involve before deciding for SCCM.

Thanks for pointing me to the resources, Reza! What I'm actually missing is the practical implementation for this hybrid (Powershell + cloud) solution. It almost seems that Microsoft doesn't support this and we actually need to patch things together to make this 'work'.

Yes, there is no supported PowerShell + Cloud and you have to design and implement your own scenario. The hybrid scenario recommended from Microsoft is Intune+ConfigMgr and Microsoft also simplified the licensing requirements and working on simplifying hybrid model in such a case.
It is possible to manage it using Group Policy and PowerShell but you have some challenges.
Using Powershell will give you the option to run scripts once a day to get the *.exe file from a share, and execute it once a day. You'll be blocked from doing this if your org doesn't allow storing network passwords locally within the scheduler so the install scripts can run.
Probably. your best bet is using MS Active Directory where you can deploy .msi files to update computers or userNames. You'll need to get a .exe to .msi wrapper to convert the file to .msi, or AD will not install it.
Offline updating definition is possible but you have to download the definition updates everyday and then deploy them or add them to share files.

From an automated scripting perspective, You'll have to find a way to install all those *.exe virus definition files into windows endpoints.  Defender has some configuration options, and one is to point to a virus definition file, and program defender to download and install that file on a regular basis. Can you use defender to install *.exe virus definition files you get off the Microsoft website, to all your endpoints to automate this process?
No, the approach will not work with the standalone .exe virus definition files you get off the Microsoft website.
Microsoft Defender Antivirus uses a different mechanism to update virus definitions from local or UNC paths, which typically involves specific file formats such as .vdm or .cab files, rather than standalone .exe files.
To have Microsoft Defender point to an update file on your network, You'll need to extract the .cab files and then copy them to the network file server.

 

You can create a startup or logon script in PowerShell or batch that extracts and installs the .cab file. This script can then be deployed via a GPO.
Example PowerShell script:

$cabPath = "\\server\share\mpam-fe.cab"
$extractPath = "C:\DefenderDefinitions"
# Extract the .cab file
Expand-Archive -Path $cabPath -DestinationPath $extractPath

 

Once you have the .cab file extracted, point MS defender to use this location for its repo spot. 

Set up a local source for virus definitions on the network (such as a file server). Configure Microsoft Defender Antivirus to check this local source first before attempting to connect to the internet. This can be done via Group Policy or registry settings.

 

 

You can manage on-premises endpoints without a direct connection to Microsoft Defender for Endpoint (MDE). However, to keep these endpoints protected, you still need to ensure they receive regular Defender security intelligence (virus definitions) and platform updates.
These updates must be manually downloaded and distributed to the endpoints, typically using a local network share, USB drives, or other offline methods.
Regularly download the latest Defender security intelligence updates and platform updates from the Microsoft website, burn to DVD, then sneaker net over to your closed network for install.

 

Microsoft Defender for Endpoint (MDE) primarily operates as a cloud-based service, and there isn't an official on-premises deployment model for MDE that mirrors the full functionality of the cloud version. However, for environments that require limited or no internet access, Microsoft offers Microsoft Defender Antivirus with on-premises management capabilities, and you can use Microsoft Endpoint Configuration Manager (MECM) or Group Policy for more controlled, on-premises scenarios.

For Offline Devices (Local Management):
Periodically download the latest Defender security intelligence updates from the Microsoft website.
Use a local network share or removable media to distribute these updates to the offline devices.
Create Update Scripts: Write PowerShell scripts to automate the installation of updates on offline devices. These scripts can be run manually or scheduled to run at regular intervals when devices are connected to the local network.
Here's an example of a Powershell script:
$updateSource = "\\server\share\DefenderDefinitions"
Update-MpSignature -UpdateSource Folder -SourcePath $updateSource

Once you got the script working, Set up scheduled tasks on offline devices to run the PowerShell script at regular intervals, if the device is connected to the offline local network.

If you're running an off-line instance of MS AD server, Configure Group Policy in AD to point to a local network share for updates. This allows offline devices to check a local source for the latest virus definitions.

1 best response

Accepted Solutions
best response confirmed by SecEngLayer2 (Copper Contributor)
Solution
Yes, it is possible to manage it using Microsoft Endpoint Configuration Manager and you many manage it on-premise. It is possible to manage it using Group Policy and PowerShell but you have some challenges. Offline updating definition is possible but you have to download the definition updates everyday and then deploy them or add them to share files. Take a look at:

https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/manage-mde-post-migration-...

View solution in original post