Manage and report on Defender Antivirus Signature update versions through Microsoft Endpoint Manager
Microsoft Endpoint Manager provides a ton of functionality for managing Defender Antivirus. In a previous post we dived into configuring Defender Antivirus, so today we’ll be reviewing some of the specifics around Signature updates. Maybe your organization needs to quickly verify or update the signature version across all devices – if so, you’ve come to the right place!
Signature update configuration
As always, head over to the Microsoft Endpoint Manager admin center. If you’ve configured your devices to receive Defender Antivirus policy from MEM (as opposed to Group Policy or Configuration Manager), you can go to:
Endpoint security > Antivirus > select your antivirus policy
Once you’ve selected your policy, click Properties and under Configuration settings > Updates, you’ll see the Signature update settings you have in place:
If you need to update a setting, click Edit next to Configuration settings.
Quick note: notice the “Internal definition update server” option under “Define the order of sources for downloading definition updates.” Are you wondering how to set the internal definition update server location? As far as I can tell, you can’t set the internal definition update server via Microsoft Endpoint Manager. The internal definition update server option is referencing the group policy setting Specify Intranet Microsoft Update Service Location, which is set either via Group Policy for WSUS deployments or using the Configuration Manager agent. So this option would really only be used for hybrid Azure AD joined or co-managed devices using an on-premises update platform.
If you haven’t configured this policy before, check out our previous Defender Antivirus blog post! Head over to: Configure Microsoft Defender Antivirus with Intune – Device Advice
Signature update manual sync
If you want a device to check in sooner than it’s update interval, you can manually push a signature update check via the Microsoft Endpoint Manager admin center. Go to:
Devices > All devices > select the device you’d like to update
Then in the overview pane, click the overflow … icon and select Update Windows Defender security intelligence:
And click Yes to confirm:
In a few seconds, you’ll see it checking for updates on the client itself:
Signature update reporting
Need to create a report of all the Signature versions within the organization? No problem! In the Microsoft Endpoint Manager admin center, go to:
Reports > Microsoft Defender Antivirus (Preview) > Antivirus agent status:
Even if you’ve never run this report, click Generate again:
And that’s it! Even if you have thousands of devices, the report should only take minutes. It will even be able to report on Defender Signature version even if the AV policy isn’t managed by Microsoft Endpoint Manager.
Happy reporting! 🎰
nice write-up.