Obtaining effective protection by virus scanners requires that they always use the latest definitions. Therefore, Microsoft Defender is not limited to getting its signature updates from the standard source for OS updates. Rather, you may specify several at once.

Microsoft deems the frequent download of definition files for the virus scanner so important that it provides separate update settings for it. Even if you get the patches for Windows from a WSUS server, Defender still fetches its signatures from Microsoft Update by default.

Private users and smaller environments usually do well with this method. This is the fastest way to get new virus definitions, and the update intervals are shorter than with WSUS, where requiring manual approval may cause additional delays.

Changing update sources in complex environments

However, in organizations with large networks, multiple offices, or a mobile workforce, requirements may call for granular management of Defender updates.

For example, it may be desirable to obtain virus signatures from WSUS on the LAN. However, if employees are away for longer periods of time, then Defender should fetch the definitions from Microsoft Update.

There are also constellations where computers have no access to the Internet and no WSUS server is available. In this case, it would be ideal if the updates could come from a network share.

Sources with different priorities

A configuration in which Defender contacts different sources if the preferred ones are not available can be implemented using the Signature Fallback Order.

It supports WSUS ("InternalDefinitionUpdateServer"), Microsoft Update ("MicrosoftUpdateServer"), network shares ("FileShares"), and security intelligence updates and platform updates for Microsoft Defender Antivirus ("MMPC") as sources. Their priority is determined by their order, which is set using the following syntax:

InternalDefinitionUpdateServer | MicrosoftUpdateServer | FileShares | MMPC

In this example, WSUS would come first, then Microsoft Update, network shares, and finally, MMP.

Configuration using PowerShell

In the first step, you can use PowerShell to display the current configuration for signature updates:

Get-MpPreference | select SignatureFallbackOrder

By default, you will get

MicrosoftUpdateServer | MMPC

as a result.

To change this setting, proceed according to this pattern:

Set-MpPreference -SignatureFallbackOrder "InternalDefinitionUpdateServer | MicrosoftUpdateServer | MMPC"
Specify the order of the update sources for the virus definitions via PowerShell

Specify the order of the update sources for the virus definitions via PowerShell

Define fallback order via Group Policy

The setting for this purpose can be found under Computer Configuration > Policies > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Security Intelligence Updates and is called Define the order of sources for downloading security intelligence updates.

If you enable it, you can add the sources to the input field.

Controlling the order of update sources for Microsoft Defender via Group Policy

Controlling the order of update sources for Microsoft Defender via Group Policy

The group policies have an additional setting that allows Microsoft Update to be used as a source for mobile devices if an internal update server is not available. It is called Allow security intelligence updates from Microsoft Update.

Microsoft Update opt in setting

Microsoft Update opt in setting

However, it is unclear whether you have to allow Microsoft Update explicitly. The documentation states that this is necessary "if you have set WSUS to override Microsoft Update."

Set path to download directory

If computers are to obtain their definition updates from a network share, it must be configured separately. It is possible to specify the UNC paths for multiple directories using the syntax described above:

\\server1\fileshare | \\server2\fileshare

With PowerShell, you can easily query the current status here, as well:

Get-MpPreference | select -Property SignatureDefinitionUpdateFileSharesSources

By default, no directories are defined. To do so, issue a command following this pattern:

Set-MpPreference -SignatureDefinitionUpdateFileSharesSources "\\server1\fileshare | \\server2\fileshare"

If you want to reverse this setting, execute this command:

Remove-MpPreference -SignatureDefinitionUpdateFileSharesSources
Define shared directories for downloading virus signatures with PowerShell

Define shared directories for downloading virus signatures with PowerShell

If you prefer to use Group Policy for this task, the appropriate setting can also be found in the Security Intelligence Updates folder and is called Define file shares for downloading security intelligence updates.

There, you can also enter multiple paths separated by '|'.

Defining file shares for downloading virus signatures

Defining file shares for downloading virus signatures

Updating via mobile networks

To ensure that devices receive up-to-date signatures, even if they are connected to the Internet via mobile networks for a long time, you can allow downloading via metered connections.

In PowerShell, use the following command to do this:

Set-MpPreference -MeteredConnectionUpdates $true
Allow download of definition updates via metered connections

Allow download of definition updates via metered connections

The equivalent in Group Policy is Allows Microsoft Defender Antivirus to update and communicate over a metered connection.


Although Microsoft Defender is an integrated component of Windows, it follows its own logic when updating virus signatures. By default, the definitions come from Microsoft Update, even if the PC is configured as a client for WSUS.

Subscribe to 4sysops newsletter!

However, it is possible to specify multiple sources in order of priority. If one is not accessible, Defender turns to the next one in the pipeline. For systems without access to the Internet, signatures can be stored on file shares and entered as the source via PowerShell or GPO.


Leave a reply

Please enclose code in pre tags: <pre></pre>

Your email address will not be published. Required fields are marked *


© 4sysops 2006 - 2023


Please ask IT administration questions in the forums. Any other messages are welcome.


Log in with your credentials


Forgot your details?

Create Account