Manage event-based forced updates

Important

Welcome to Microsoft Defender for Endpoint, the new name for Microsoft Defender Advanced Threat Protection. Read more about this and other updates here. We'll be updating names in products and in the docs in the near future.

Applies to:

Microsoft Defender Antivirus allows you to determine if updates should (or should not) occur after certain events, such as at startup or after receiving specific reports from the cloud-delivered protection service.

Check for protection updates before running a scan

You can use Microsoft Endpoint Configuration Manager, Group Policy, PowerShell cmdlets, and WMI to force Microsoft Defender Antivirus to check and download protection updates before running a scheduled scan.

Use Configuration Manager to check for protection updates before running a scan

  1. On your Microsoft Endpoint Configuration Manager console, open the antimalware policy you want to change (click Assets and Compliance in the navigation pane on the left, then expand the tree to Overview > Endpoint Protection > Antimalware Policies)

  2. Go to the Scheduled scans section and set Check for the latest security intelligence updates before running a scan to Yes.

  3. Click OK.

  4. Deploy the updated policy as usual.

Use Group Policy to check for protection updates before running a scan

  1. On your Group Policy management machine, open the Group Policy Management Console, right-click the Group Policy Object you want to configure and click Edit.

  2. Using the Group Policy Management Editor go to Computer configuration.

  3. Click Policies then Administrative templates.

  4. Expand the tree to Windows components > Microsoft Defender Antivirus > Scan.

  5. Double-click Check for the latest virus and spyware definitions before running a scheduled scan and set the option to Enabled.

  6. Click OK.

Use PowerShell cmdlets to check for protection updates before running a scan

Use the following cmdlets:

Set-MpPreference -CheckForSignaturesBeforeRunningScan

For more information, see Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus and Defender cmdlets.

Use Windows Management Instruction (WMI) to check for protection updates before running a scan

Use the Set method of the MSFT_MpPreference class for the following properties:

CheckForSignaturesBeforeRunningScan

For more information, see Windows Defender WMIv2 APIs.

Check for protection updates on startup

You can use Group Policy to force Microsoft Defender Antivirus to check and download protection updates when the machine is started.

  1. On your Group Policy management computer, open the Group Policy Management Console, right-click the Group Policy Object you want to configure and click Edit.

  2. Using the Group Policy Management Editor go to Computer configuration.

  3. Click Policies then Administrative templates.

  4. Expand the tree to Windows components > Microsoft Defender Antivirus > Security Intelligence Updates.

  5. Double-click Check for the latest virus and spyware definitions on startup and set the option to Enabled.

  6. Click OK.

You can also use Group Policy, PowerShell, or WMI to configure Microsoft Defender Antivirus to check for updates at startup even when it is not running.

Use Group Policy to download updates when Microsoft Defender Antivirus is not present

  1. On your Group Policy management machine, open the Group Policy Management Console, right-click the Group Policy Object you want to configure and click Edit.

  2. Using the Group Policy Management Editor, go to Computer configuration.

  3. Click Policies then Administrative templates.

  4. Expand the tree to Windows components > Microsoft Defender Antivirus > Security Intelligence Updates.

  5. Double-click Initiate security intelligence update on startup and set the option to Enabled.

  6. Click OK.

Use PowerShell cmdlets to download updates when Microsoft Defender Antivirus is not present

Use the following cmdlets:

Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine

For more information, see Use PowerShell cmdlets to manage Microsoft Defender Antivirus and Defender cmdlets for more information on how to use PowerShell with Microsoft Defender Antivirus.

Use Windows Management Instruction (WMI) to download updates when Microsoft Defender Antivirus is not present

Use the Set method of the MSFT_MpPreference class for the following properties:

SignatureDisableUpdateOnStartupWithoutEngine

For more information, see Windows Defender WMIv2 APIs.

Allow ad hoc changes to protection based on cloud-delivered protection

Microsoft Defender AV can make changes to its protection based on cloud-delivered protection. Such changes can occur outside of normal or scheduled protection updates.

If you have enabled cloud-delivered protection, Microsoft Defender AV will send files it is suspicious about to the Windows Defender cloud. If the cloud service reports that the file is malicious, and the file is detected in a recent protection update, you can use Group Policy to configure Microsoft Defender AV to automatically receive that protection update. Other important protection updates can also be applied.

Use Group Policy to automatically download recent updates based on cloud-delivered protection

  1. On your Group Policy management machine, open the Group Policy Management Console, right-click the Group Policy Object you want to configure and click Edit.

  2. Using the Group Policy Management Editor go to Computer configuration.

  3. Click Policies then Administrative templates.

  4. Expand the tree to Windows components > Microsoft Defender Antivirus > Security Intelligence Updates.

  5. Double-click Allow real-time security intelligence updates based on reports to Microsoft MAPS and set the option to Enabled. Then click OK.

  6. Allow notifications to disable definitions-based reports to Microsoft MAPS and set the option to Enabled. Then click OK.

Note

Allow notifications to disable definitions based reports enables Microsoft MAPS to disable those definitions known to cause false-positive reports. You must configure your computer to join Microsoft MAPS for this function to work.

See also