Feb 21 2022 07:08 AM
Hello,
Is there a way to mange/configure/administer MS Defender clients in an On-Premise environment with no connection to Azure cloud management portals please?
Many Thanks,
Graeme
Feb 25 2022 02:24 AM
I would like to know this as well. We are currently looking into switching to Defender. Quite a few devices in are network are offline. These include Windows 10 machines. From what I've read in another topic, these W10 devices can be problematic in an offline configuration. Is this still the case or are there solutions in place to counter this?
Feb 27 2022 04:25 AM
Feb 27 2022 07:53 AM
SolutionFeb 28 2022 05:29 AM
@Reza_AmeriThanks for the reply! Is this also possible for a hybrid solution? About 10% of our devices are offline, the rest is online. So the cloud solution would be awesome for the majority of devices. Also, we don't use SCCM, so for just the 10% of devices policies and powershell would be fine.
Mar 01 2022 07:31 AM
Mar 03 2022 04:16 AM
Mar 03 2022 08:28 AM
Mar 04 2022 12:43 AM - edited Mar 04 2022 12:52 AM
Thanks for pointing me to the resources, Reza! What I'm actually missing is the practical implementation for this hybrid (Powershell + cloud) solution. It almost seems that Microsoft doesn't support this and we actually need to patch things together to make this 'work'.
Mar 04 2022 07:51 AM
Aug 15 2024 09:41 PM
Aug 15 2024 09:47 PM - edited Aug 15 2024 10:24 PM
From an automated scripting perspective, You'll have to find a way to install all those *.exe virus definition files into windows endpoints. Defender has some configuration options, and one is to point to a virus definition file, and program defender to download and install that file on a regular basis. Can you use defender to install *.exe virus definition files you get off the Microsoft website, to all your endpoints to automate this process?
No, the approach will not work with the standalone .exe virus definition files you get off the Microsoft website.
Microsoft Defender Antivirus uses a different mechanism to update virus definitions from local or UNC paths, which typically involves specific file formats such as .vdm or .cab files, rather than standalone .exe files.
To have Microsoft Defender point to an update file on your network, You'll need to extract the .cab files and then copy them to the network file server.
You can create a startup or logon script in PowerShell or batch that extracts and installs the .cab file. This script can then be deployed via a GPO.
Example PowerShell script:
$cabPath = "\\server\share\mpam-fe.cab"
$extractPath = "C:\DefenderDefinitions"
# Extract the .cab file
Expand-Archive -Path $cabPath -DestinationPath $extractPath
Once you have the .cab file extracted, point MS defender to use this location for its repo spot.
Aug 15 2024 10:01 PM - edited Aug 16 2024 03:03 AM
Set up a local source for virus definitions on the network (such as a file server). Configure Microsoft Defender Antivirus to check this local source first before attempting to connect to the internet. This can be done via Group Policy or registry settings.
Aug 15 2024 10:05 PM - edited Aug 16 2024 03:02 AM
You can manage on-premises endpoints without a direct connection to Microsoft Defender for Endpoint (MDE). However, to keep these endpoints protected, you still need to ensure they receive regular Defender security intelligence (virus definitions) and platform updates.
These updates must be manually downloaded and distributed to the endpoints, typically using a local network share, USB drives, or other offline methods.
Regularly download the latest Defender security intelligence updates and platform updates from the Microsoft website, burn to DVD, then sneaker net over to your closed network for install.
Microsoft Defender for Endpoint (MDE) primarily operates as a cloud-based service, and there isn't an official on-premises deployment model for MDE that mirrors the full functionality of the cloud version. However, for environments that require limited or no internet access, Microsoft offers Microsoft Defender Antivirus with on-premises management capabilities, and you can use Microsoft Endpoint Configuration Manager (MECM) or Group Policy for more controlled, on-premises scenarios.
Aug 15 2024 10:15 PM - edited Aug 15 2024 10:17 PM
For Offline Devices (Local Management):
Periodically download the latest Defender security intelligence updates from the Microsoft website.
Use a local network share or removable media to distribute these updates to the offline devices.
Create Update Scripts: Write PowerShell scripts to automate the installation of updates on offline devices. These scripts can be run manually or scheduled to run at regular intervals when devices are connected to the local network.
Here's an example of a Powershell script:
$updateSource = "\\server\share\DefenderDefinitions"
Update-MpSignature -UpdateSource Folder -SourcePath $updateSource
Once you got the script working, Set up scheduled tasks on offline devices to run the PowerShell script at regular intervals, if the device is connected to the offline local network.
If you're running an off-line instance of MS AD server, Configure Group Policy in AD to point to a local network share for updates. This allows offline devices to check a local source for the latest virus definitions.
Feb 27 2022 07:53 AM
Solution