SOLVED

Update Confusion

Occasional Contributor

Can someone help me understand how MDE/AV updates? I thought signatures, platform, and engine updates were handled though normal Windows update processes. However, I am now seeing articles like this ( Enable Microsoft Defender For Endpoint Updates Patching Using SCCM And WSUS HTMD Blog (anoopcnair.co... that may suggest otherwise. Also, when I go to the Device Health report in the security center it tells me that my AV engine, intelligence versions, and platform versions are all up to date on ever machine in my environment. I understand MDE well but when it comes to managing things in SCCM/WSUS I get a little lost. I'm not sure why the update process is the article is needed if the solution is already being updated though normal windows/AV updates.

 

Thank you!

3 Replies
There are multiple MDE update classifications. There is intelligence updates and there are feature and functional updates delivered through monthly cadence. Depending on how you are managing AV and MDE policies, the delivery mechanism for the updates can vary. There is also a fallback process for intelligence updates. It will look for on-premises sources if any like ConfigMgr\Wsus before falling back to Windows update.

@rahuljindal-MVP

 

Thanks for your response! Can you please help me understand what those MDE update classifications are? So far, I know about the following:

  1. AV Intelligence Updates
    1. Update Channel: KB2267602
    2. These are pushed out via SCCM/ConfigManager
    3. Reference: Manage Microsoft Defender Antivirus updates and apply baselines | Microsoft Docs
    4. Note: Cloud Protection also delivers dynamic updates that don't fall within the scope of KB2267602
  2. AV Engine Updates
    1. These are included in the previous intelligence updates and are released on a monthly cadence.
    2. Reference: https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/manage-updates-baselines-m....
  3. AV Platform Update
    1. Monthly updates released via KB4052623
      1. These are pushed out via SCCM/ConfigManager
    2. Reference: Manage Microsoft Defender Antivirus updates and apply baselines | Microsoft Docs
  4.  EDR Sensor (MsSenes) Updates
    1. This is where I am struggling a little bit. The article in my original posts says the Defender for Endpoint EDR sensor update feature in ConfigManager/SCCM/WSUS is new. 
      1. How were these updates handled before this new feature?
      2. Does this only apply to "older" operating systems with the new unified agent?
      3. Overall, how are we supposed to handle updating, patching, etc. the EDR sensor (MsSense). 
best response confirmed by Christopher__ (Occasional Contributor)
Solution

The new product category listed in your linked article that is called "Defender for Endpoint" only targets the new Unified Agent in Windows Server 2012 R2/2016.

These 2 platforms do not come with MsSense out of the box(not included in the OS) and therefore require separate updates. This is why the Defender for Endpoint product category is new.

Windows 10/11, Windows server 2019 and above come with MsSense integrated on an OS level, so my understanding is that MsSense updates are included in the regular OS security updates.