Manage the sources for Windows Defender Antivirus protection updates

Applies to:

There are two components to managing protection updates - where the updates are downloaded from, and when updates are downloaded and applied.

This topic describes where you can specify the updates should be downloaded from, also known as the fallback order.

See Manage Windows Defender Antivirus updates and apply baselines topic for an overview on how updates work, and how to configure other aspects of updates (such as scheduling updates).

There are five locations where you can specify where an endpoint should obtain updates. Typically, you would configure endpoints to individually download the updates from a primary source, followed by the other sources in order of priority based on your network configuration.

Updates will be obtained from the sources in the order you specify. If a source is not available, the next source in the list will be used.

You can use the following sources:

When updates are published, some logic will be applied to minimize the size of the update. In most cases, only the "delta" (or the differences between the latest update and the update that is currently installed on the endpoint) will be downloaded and applied. However, the size of the delta depends on:

  • How old the current update on the endpoint is
  • Which source you use

The older the updates on an endpoint, the larger the download. However, you must also consider frequency versus size - a more frequent update schedule may result in more ad hoc network usage, while a less-frequent schedule may result in larger file sizes.

Microsoft Update allows for rapid releases, which means it will download small deltas on a frequent basis. This ensures the best protection, but may increase network bandwidth.

The WSUS, Configuration Manager, and MMPC sources will deliver less frequent updates. The size of the updates may be slightly larger than the frequent release from Microsoft Update (as the delta, or differences between the latest version and what is on the endpoint will be larger). This ensures consistent protection without increasing ad hoc network usage (although the amount of data may be the same or increased as the updates will be fewer, but may be slightly larger).

Important

If you have set MMPC as a fallback source after WSUS or Microsoft Update, updates will only be downloaded from MMPC when the current update is considered to be out-of-date (by default, this is 14 consecutive days of not being able to apply updates from the WSUS or Microsoft Update services). You can, however, set the number of days before protection is reported as out-of-date.

Each source has typical scenarios that depend on how your network is configured, in addition to how often they publish updates, as described in the following table:

Location Sample scenario
WSUS You are using WSUS to manage updates for your network.
Microsoft Update You want your endpoints to connect directly to Microsoft Update. This can be useful for endpoints that irregularly connect to your enterprise network, or if you do not use WSUS to manage your updates.
File share You have non-Internet-connected devices (such as VMs). You can use your Internet-connected VM host to download the updates to a network share, from which the VMs can obtain the updates. See the VDI deployment guide for how file shares can be used in virtual desktop infrastructure (VDI) environments.
Configuration Manager You are using System Center Configuration Manager to update your endpoints.
MMPC You need to download the latest protection updates because of a recent infection or to help provision a strong, base image for VDI deployment. This option should generally be used only as a final fallback source, and not the primary source. It will only be used if updates cannot be downloaded from WSUS or Microsoft Update for a specified number of days.

You can manage the order in which update sources are used with Group Policy, System Center Configuration Manager, PowerShell cmdlets, and WMI.

Important

If you set WSUS as a download location, you must approve the updates - regardless of what management tool you use to specify the location. You can set up an automatic approval rule with WSUS, which may be useful as updates arrive at least once a day. See To synchronize endpoint protection updates in standalone WSUS for more details.

The procedures in this article first describe how to set the order, and then how to set up the File share option if you have enabled it.

Use Group Policy to manage the update location:

  1. On your Group Policy management machine, open the Group Policy Management Console, right-click the Group Policy Object you want to configure and click Edit.

  2. In the Group Policy Management Editor go to Computer configuration.

  3. Click Policies then Administrative templates.

  4. Expand the tree to Windows components > Windows Defender > Signature updates and configure the following settings:

    1. Double-click the Define the order of sources for downloading definition updates setting and set the option to Enabled.

    2. Enter the order of sources, separated by a single pipe, for example: InternalDefinitionUpdateServer|MicrosoftUpdateServer|MMPC, as shown in the following screenshot.

    Screenshot of group policy setting listing the order of sources

    1. Click OK. This will set the order of protection update sources.

    2. Double-click the Define file shares for downloading definition updates setting and set the option to Enabled.

    3. Enter the file share source. If you have multiple sources, enter each source in the order they should be used, separated by a single pipe. Use standard UNC notation for denoting the path, for example: \\host-name1\share-name\object-name|\\host-name2\share-name\object-name. If you do not enter any paths then this source will be skipped when the VM downloads updates.

    4. Click OK. This will set the order of file shares when that source is referenced in the Define the order of sources... group policy setting.

Use Configuration Manager to manage the update location:

See Configure Security intelligence Updates for Endpoint Protection for details on configuring System Center Configuration Manager (current branch).

Use PowerShell cmdlets to manage the update location:

Use the following PowerShell cmdlets to set the update order.

Set-MpPreference -SignatureFallbackOrder {LOCATION|LOCATION|LOCATION|LOCATION}
Set-MpPreference -SignatureDefinitionUpdateFileSharesSource {\\UNC SHARE PATH|\\UNC SHARE PATH}

See the following for more information:

Use Windows Management Instruction (WMI) to manage the update location:

Use the Set method of the MSFT_MpPreference class for the following properties:

SignatureFallbackOrder
SignatureDefinitionUpdateFileSharesSource

See the following for more information:

Use Mobile Device Management (MDM) to manage the update location:

See Policy CSP - Defender/SignatureUpdateFallbackOrder for details on configuring MDM.