Manage the sources for Windows Defender Antivirus protection updates

Applies to:

Keeping your antivirus protection up to date is critical. There are two components to managing protection updates for Windows Defender Antivirus:

  • Where the updates are downloaded from; and
  • When updates are downloaded and applied.

This article describes how to specify from where updates should be downloaded (this is also known as the fallback order). See Manage Windows Defender Antivirus updates and apply baselines topic for an overview on how updates work, and how to configure other aspects of updates (such as scheduling updates).

Important

Microsoft Defender Antivirus Security intelligence updates are delivered through Windows Update and starting Monday, October 21, 2019, all security intelligence updates will be SHA-2 signed exclusively. Your devices must be updated to support SHA-2 in order to update your security intelligence. To learn more, see 2019 SHA-2 Code Signing Support requirement for Windows and WSUS.

Fallback order

Typically, you configure endpoints to individually download updates from a primary source followed by other sources in order of priority, based on your network configuration. Updates are obtained from sources in the order you specify. If a source is not available, the next source in the list is used immediately.

When updates are published, some logic is applied to minimize the size of the update. In most cases, only the differences between the latest update and the update that is currently installed (this is referred to as the delta) on the device is downloaded and applied. However, the size of the delta depends on two main factors:

  • The age of the last update on the device; and
  • The source used to download and apply updates.

The older the updates on an endpoint, the larger the download will be. However, you must also consider download frequency as well. A more frequent update schedule can result in more network usage, whereas a less-frequent schedule can result in larger file sizes per download.

There are five locations where you can specify where an endpoint should obtain updates:

To ensure the best level of protection, Microsoft Update allows for rapid releases, which means smaller downloads on a frequent basis. The Windows Server Update Service, Microsoft Endpoint Configuration Manager, and Microsoft security intelligence updates sources deliver less frequent updates. Thus, the delta can be larger, resulting in larger downloads.

Important

If you have set Microsoft Malware Protection Center Security intelligence page (MMPC) updates as a fallback source after Windows Server Update Service or Microsoft Update, updates are only downloaded from security intelligence updates when the current update is considered out-of-date. (By default, this is 14 consecutive days of not being able to apply updates from the Windows Server Update Service or Microsoft Update services). You can, however, set the number of days before protection is reported as out-of-date.

Starting Monday, October 21, 2019, security intelligence updates will be SHA-2 signed exclusively. Devices must be updated to support SHA-2 in order to get the latest security intelligence updates. To learn more, see 2019 SHA-2 Code Signing Support requirement for Windows and WSUS.

Each source has typical scenarios that depend on how your network is configured, in addition to how often they publish updates, as described in the following table:

Location Sample scenario
Windows Server Update Service You are using Windows Server Update Service to manage updates for your network.
Microsoft Update You want your endpoints to connect directly to Microsoft Update. This can be useful for endpoints that irregularly connect to your enterprise network, or if you do not use Windows Server Update Service to manage your updates.
File share You have non-Internet-connected devices (such as VMs). You can use your Internet-connected VM host to download the updates to a network share, from which the VMs can obtain the updates. See the VDI deployment guide for how file shares can be used in virtual desktop infrastructure (VDI) environments.
Microsoft Endpoint Configuration Manager You are using Microsoft Endpoint Configuration Manager to update your endpoints.
Security intelligence updates for Windows Defender Antivirus and other Microsoft antimalware (formerly referred to as MMPC) Make sure your devices are updated to support SHA-2. Microsoft Defender Antivirus Security intelligence updates are delivered through Windows Update, and starting Monday October 21, 2019 security intelligence updates will be SHA-2 signed exclusively.
Download the latest protection updates because of a recent infection or to help provision a strong, base image for VDI deployment. This option should generally be used only as a final fallback source, and not the primary source. It will only be used if updates cannot be downloaded from Windows Server Update Service or Microsoft Update for a specified number of days.

You can manage the order in which update sources are used with Group Policy, Microsoft Endpoint Configuration Manager, PowerShell cmdlets, and WMI.

Important

If you set Windows Server Update Service as a download location, you must approve the updates, regardless of the management tool you use to specify the location. You can set up an automatic approval rule with Windows Server Update Service, which might be useful as updates arrive at least once a day. To learn more, see synchronize endpoint protection updates in standalone Windows Server Update Service.

The procedures in this article first describe how to set the order, and then how to set up the File share option if you have enabled it.

Use Group Policy to manage the update location

  1. On your Group Policy management machine, open the Group Policy Management Console, right-click the Group Policy Object you want to configure and click Edit.

  2. In the Group Policy Management Editor go to Computer configuration.

  3. Click Policies then Administrative templates.

  4. Expand the tree to Windows components > Windows Defender > Signature updates and configure the following settings:

    1. Double-click the Define the order of sources for downloading security intelligence updates setting and set the option to Enabled.

    2. Enter the order of sources, separated by a single pipe, for example: InternalDefinitionUpdateServer|MicrosoftUpdateServer|MMPC, as shown in the following screenshot.

    Screenshot of group policy setting listing the order of sources

    1. Click OK. This will set the order of protection update sources.

    2. Double-click the Define file shares for downloading security intelligence updates setting and set the option to Enabled.

    3. Enter the file share source. If you have multiple sources, enter each source in the order they should be used, separated by a single pipe. Use standard UNC notation for denoting the path, for example: \\host-name1\share-name\object-name|\\host-name2\share-name\object-name. If you do not enter any paths, then this source will be skipped when the VM downloads updates.

    4. Click OK. This will set the order of file shares when that source is referenced in the Define the order of sources... group policy setting.

Note

For Windows 10, versions 1703 up to and including 1809, the policy path is Windows Components > Windows Defender Antivirus > Signature Updates For Windows 10, version 1903, the policy path is Windows Components > Windows Defender Antivirus > Security Intelligence Updates

Use Configuration Manager to manage the update location

See Configure Security intelligence Updates for Endpoint Protection for details on configuring Microsoft Endpoint Configuration Manager (current branch).

Use PowerShell cmdlets to manage the update location

Use the following PowerShell cmdlets to set the update order.

Set-MpPreference -SignatureFallbackOrder {LOCATION|LOCATION|LOCATION|LOCATION}
Set-MpPreference -SignatureDefinitionUpdateFileSharesSource {\\UNC SHARE PATH|\\UNC SHARE PATH}

See the following articles for more information:

Use Windows Management Instruction (WMI) to manage the update location

Use the Set method of the MSFT_MpPreference class for the following properties:

SignatureFallbackOrder
SignatureDefinitionUpdateFileSharesSource

See the following articles for more information:

Use Mobile Device Management (MDM) to manage the update location

See Policy CSP - Defender/SignatureUpdateFallbackOrder for details on configuring MDM.

What if we're using a third-party vendor?

This article describes how to configure and manage updates for Windows Defender Antivirus. However, third-party vendors can be used to perform these tasks.

For example, suppose that Contoso has hired Fabrikam to manage their security solution, which includes Windows Defender Antivirus. Fabrikam typically uses Windows Management Instrumentation, PowerShell cmdlets, or Windows command-line to deploy patches and updates.

Note

Microsoft does not test third-party solutions for managing Windows Defender Antivirus.