Create a custom gradual rollout process for Microsoft Defender updates
Applies to:
- Microsoft Defender for Endpoint Plan 1
- Microsoft Defender for Endpoint Plan 2
- Microsoft Defender Antivirus
Platforms
- Windows
Note
This functionality requires Microsoft Defender Antivirus version 4.18.2106.X or newer.
To create your own custom gradual rollout process for Defender updates, you can use Group Policy, Intune, and PowerShell.
The following table lists the available group policy settings for configuring update channels:
| Setting title | Description | Location |
|---|---|---|
| Select gradual Microsoft Defender monthly platform update rollout channel | Enable this policy to specify when devices receive Microsoft Defender platform updates during the monthly gradual rollout. Beta Channel: Devices set to this channel are the first to receive new updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. For use in (manual) test environments only and a limited number of devices. Current Channel (Preview): Devices set to this channel are offered updates earliest during the monthly gradual release cycle. Suggested for pre-production/validation environments. Current Channel (Staged): Devices are offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population (~10%). Current Channel (Broad): Devices are offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%). Critical- Time Delay: Devices are offered updates with a 48-hour delay. Suggested for critical environments only. If you disable or don't configure this policy, the device stays up to date automatically during the gradual release cycle. Suitable for most devices. |
Windows Components\Microsoft Defender Antivirus |
| Select gradual Microsoft Defender monthly engine update rollout channel | Enable this policy to specify when devices receive Microsoft Defender engine updates during the monthly gradual rollout. Beta Channel: Devices set to this channel are the first to receive new updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. For use in (manual) test environments only and a limited number of devices. Current Channel (Preview): Devices set to this channel are offered updates earliest during the monthly gradual release cycle. Suggested for pre-production/validation environments. Current Channel (Staged): Devices are offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population (~10%). Current Channel (Broad): Devices are offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%). Critical- Time Delay: Devices are offered updates with a 48-hour delay. Suggested for critical environments only. If you disable or don't configure this policy, the device stays up to date automatically during the gradual release cycle. Suitable for most devices. |
Windows Components\Microsoft Defender Antivirus |
| Select gradual Microsoft Defender daily security intelligence updates rollout channel | Enable this policy to specify when devices receive Microsoft Defender security intelligence updates during the daily gradual rollout. Current Channel (Staged): Devices are offered updates after the release cycle. Suggested to apply to a small, representative part of production population (~10%). Current Channel (Broad): Devices are offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%). If you disable or don't configure this policy, the device stays up to date automatically during the daily release cycle. Suitable for most devices. |
Windows Components\Microsoft Defender Antivirus |
| Disable gradual rollout of Microsoft Defender updates | Enable this policy to disable gradual rollout of Defender updates. Current Channel (Broad): Devices set to this channel are offered updates last during the gradual release cycle. Best for datacenter machines that only receive limited updates. Note: This setting applies to both monthly and daily Defender updates and overrides any previously configured channel selections for platform and engine updates. If you disable or don't configure this policy, the device remains in Current Channel (Default) unless specified otherwise in specific channels for platform and engine updates. Stay up to date automatically during the gradual release cycle. Suitable for most devices. |
Windows Components\Microsoft Defender Antivirus\MpEngine |
Group Policy
Note
An updated Defender ADMX template are published together with the 21H2 release of Windows 10. A non-localized version is available for download at defender-updatecontrols on GitHub.
You can use Group Policy to configure and manage Microsoft Defender Antivirus on your endpoints.
In general, you can use the following procedure to configure or change Microsoft Defender Antivirus group policy settings:
On your Group Policy management machine, open the Group Policy Management Console, right-click the Group Policy Object (GPO) you want to configure and select Edit.
Using the Group Policy Management Editor go to Computer configuration.
Select Administrative templates.
Expand the tree to Windows components > Microsoft Defender Antivirus.
Expand the section (referred to as Location in the table in this article) that contains the setting you want to configure, double-click the setting to open it, and make configuration changes.
Intune
Follow the instructions in below link to create a custom policy in Intune:
Add custom settings for Windows 10 devices in Microsoft Intune.
For more information on the Defender CSP used for the gradual rollout process, see Defender CSP.
PowerShell
Use the Set-MpPreference cmdlet to configure roll out of the gradual updates.
Use the following parameters:
Set-MpPreference
-PlatformUpdatesChannel Beta|Preview|Staged|Broad|Delayed|NotConfigured
-EngineUpdatesChannel Beta|Preview|Staged|Broad|Delayed|NotConfigured
-DisableGradualRelease 1|0
-DefinitionUpdatesChannel Staged|Broad|NotConfigured
Example:
Use Set-MpPreference -PlatformUpdatesChannel Beta to configure platform updates to arrive from the Beta Channel.
For more information on the parameters and how to configure them, see Set-MpPreference (Microsoft Defender Antivirus).
Note
You can also use a management tool such as Microsoft Configuration Manager to run PowerShell scripts. See Create and run PowerShell scripts from the Configuration Manager console for guidance on this topic.
Tip
If you're looking for Antivirus related information for other platforms, see:
- Set preferences for Microsoft Defender for Endpoint on macOS
- Microsoft Defender for Endpoint on Mac
- macOS Antivirus policy settings for Microsoft Defender Antivirus for Intune
- Set preferences for Microsoft Defender for Endpoint on Linux
- Microsoft Defender for Endpoint on Linux
- Configure Defender for Endpoint on Android features
- Configure Microsoft Defender for Endpoint on iOS features
Tip
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for