- SystoLOCK in review: Logging in to Active Directory with multi-factor authentication without passwords - Tue, Dec 5 2023
- New Group Policy settings in Windows 11 23H2 - Mon, Nov 20 2023
- Windows Server 2025 will support SMB over QUIC in all editions - Fri, Nov 17 2023
Microsoft deems the frequent download of definition files for the virus scanner so important that it provides separate update settings for it. Even if you get the patches for Windows from a WSUS server, Defender still fetches its signatures from Microsoft Update by default.
Private users and smaller environments usually do well with this method. This is the fastest way to get new virus definitions, and the update intervals are shorter than with WSUS, where requiring manual approval may cause additional delays.
Changing update sources in complex environments
However, in organizations with large networks, multiple offices, or a mobile workforce, requirements may call for granular management of Defender updates.
For example, it may be desirable to obtain virus signatures from WSUS on the LAN. However, if employees are away for longer periods of time, then Defender should fetch the definitions from Microsoft Update.
There are also constellations where computers have no access to the Internet and no WSUS server is available. In this case, it would be ideal if the updates could come from a network share.
Sources with different priorities
A configuration in which Defender contacts different sources if the preferred ones are not available can be implemented using the Signature Fallback Order.
It supports WSUS ("InternalDefinitionUpdateServer"), Microsoft Update ("MicrosoftUpdateServer"), network shares ("FileShares"), and security intelligence updates and platform updates for Microsoft Defender Antivirus ("MMPC") as sources. Their priority is determined by their order, which is set using the following syntax:
InternalDefinitionUpdateServer | MicrosoftUpdateServer | FileShares | MMPC
In this example, WSUS would come first, then Microsoft Update, network shares, and finally, MMP.
Configuration using PowerShell
In the first step, you can use PowerShell to display the current configuration for signature updates:
Get-MpPreference | select SignatureFallbackOrder
By default, you will get
MicrosoftUpdateServer | MMPC
as a result.
To change this setting, proceed according to this pattern:
Set-MpPreference -SignatureFallbackOrder "InternalDefinitionUpdateServer | MicrosoftUpdateServer | MMPC"
Define fallback order via Group Policy
The setting for this purpose can be found under Computer Configuration > Policies > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Security Intelligence Updates and is called Define the order of sources for downloading security intelligence updates.
If you enable it, you can add the sources to the input field.
The group policies have an additional setting that allows Microsoft Update to be used as a source for mobile devices if an internal update server is not available. It is called Allow security intelligence updates from Microsoft Update.
However, it is unclear whether you have to allow Microsoft Update explicitly. The documentation states that this is necessary "if you have set WSUS to override Microsoft Update."
Set path to download directory
If computers are to obtain their definition updates from a network share, it must be configured separately. It is possible to specify the UNC paths for multiple directories using the syntax described above:
\\server1\fileshare | \\server2\fileshare
With PowerShell, you can easily query the current status here, as well:
Get-MpPreference | select -Property SignatureDefinitionUpdateFileSharesSources
By default, no directories are defined. To do so, issue a command following this pattern:
Set-MpPreference -SignatureDefinitionUpdateFileSharesSources "\\server1\fileshare | \\server2\fileshare"
If you want to reverse this setting, execute this command:
If you prefer to use Group Policy for this task, the appropriate setting can also be found in the Security Intelligence Updates folder and is called Define file shares for downloading security intelligence updates.
There, you can also enter multiple paths separated by '|'.
Updating via mobile networks
To ensure that devices receive up-to-date signatures, even if they are connected to the Internet via mobile networks for a long time, you can allow downloading via metered connections.
In PowerShell, use the following command to do this:
Set-MpPreference -MeteredConnectionUpdates $true
The equivalent in Group Policy is Allows Microsoft Defender Antivirus to update and communicate over a metered connection.
Although Microsoft Defender is an integrated component of Windows, it follows its own logic when updating virus signatures. By default, the definitions come from Microsoft Update, even if the PC is configured as a client for WSUS.
Subscribe to 4sysops newsletter!
However, it is possible to specify multiple sources in order of priority. If one is not accessible, Defender turns to the next one in the pipeline. For systems without access to the Internet, signatures can be stored on file shares and entered as the source via PowerShell or GPO.