cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Update Confusion

Christopher__
Copper Contributor

‎Sep 01 2022 11:01 AM

‎Sep 01 2022 11:01 AM

Update Confusion

Can someone help me understand how MDE/AV updates? I thought signatures, platform, and engine updates were handled though normal Windows update processes. However, I am now seeing articles like this ( Enable Microsoft Defender For Endpoint Updates Patching Using SCCM And WSUS HTMD Blog (anoopcnair.co... that may suggest otherwise. Also, when I go to the Device Health report in the security center it tells me that my AV engine, intelligence versions, and platform versions are all up to date on ever machine in my environment. I understand MDE well but when it comes to managing things in SCCM/WSUS I get a little lost. I'm not sure why the update process is the article is needed if the solution is already being updated though normal windows/AV updates.

 

Thank you!

1,358 Views
0 Likes
3 Replies
Reply
3 Replies
rahuljindal-MVP

‎Sep 01 2022 01:55 PM

‎Sep 01 2022 01:55 PM

Re: Update Confusion

There are multiple MDE update classifications. There is intelligence updates and there are feature and functional updates delivered through monthly cadence. Depending on how you are managing AV and MDE policies, the delivery mechanism for the updates can vary. There is also a fallback process for intelligence updates. It will look for on-premises sources if any like ConfigMgr\Wsus before falling back to Windows update.
0 Likes
Reply
Christopher__

‎Sep 02 2022 07:00 AM

‎Sep 02 2022 07:00 AM

Re: Update Confusion

@rahuljindal-MVP

 

Thanks for your response! Can you please help me understand what those MDE update classifications are? So far, I know about the following:

  1. AV Intelligence Updates
    1. Update Channel: KB2267602
    2. These are pushed out via SCCM/ConfigManager
    3. Reference: Manage Microsoft Defender Antivirus updates and apply baselines | Microsoft Docs
    4. Note: Cloud Protection also delivers dynamic updates that don't fall within the scope of KB2267602
  2. AV Engine Updates
    1. These are included in the previous intelligence updates and are released on a monthly cadence.
    2. Reference: https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/manage-updates-baselines-m....
  3. AV Platform Update
    1. Monthly updates released via KB4052623
      1. These are pushed out via SCCM/ConfigManager
    2. Reference: Manage Microsoft Defender Antivirus updates and apply baselines | Microsoft Docs
  4.  EDR Sensor (MsSenes) Updates
    1. This is where I am struggling a little bit. The article in my original posts says the Defender for Endpoint EDR sensor update feature in ConfigManager/SCCM/WSUS is new. 
      1. How were these updates handled before this new feature?
      2. Does this only apply to "older" operating systems with the new unified agent?
      3. Overall, how are we supposed to handle updating, patching, etc. the EDR sensor (MsSense). 
0 Likes
Reply
best response confirmed by Christopher__ (Copper Contributor)
Jonhed

‎Sep 04 2022 06:29 AM - edited ‎Sep 04 2022 06:30 AM

‎Sep 04 2022 06:29 AM - edited ‎Sep 04 2022 06:30 AM

Solution

Re: Update Confusion

The new product category listed in your linked article that is called "Defender for Endpoint" only targets the new Unified Agent in Windows Server 2012 R2/2016.

These 2 platforms do not come with MsSense out of the box(not included in the OS) and therefore require separate updates. This is why the Defender for Endpoint product category is new.

Windows 10/11, Windows server 2019 and above come with MsSense integrated on an OS level, so my understanding is that MsSense updates are included in the regular OS security updates.

1 Like
Reply