If you have a look at Microsoft Cybersecurity Reference Architecture (MCRA) and Microsoft Zero Trust implementation guidance, you will come across the immutable laws of security: The immutable laws of security | Microsoft Learn
This is a set of 10 commandments or statements meant to bust prevalent security myths.
The 8th law, stating that an out-of-date antimalware scanner is only marginally better than no scanner at all, inspired this blog.
Despite being, in my opinion, an amazing product, Defender for Endpoint can be complex due to its multiple components and updates, specifically across Windows operating systems, require a good understanding of the product.
In this blog, we will focus on the antivirus/malware (AV) and endpoint detection and response (EDR) components, and dive in configuring and monitoring Defender for Endpoint update status in your environment.
Table of contents:
.
What are the different types of updates in MDE?
A - On Windows
The AV engine agent updates are part of the platformUpdate package included in KB4052623
This package is installed under c:\programdata\Microsoft\Windows Defender\Platform\<version>
The application mpcmdeng.exe run as a service named windefend with Windows Defender as display name
The EDR sensor agent updates are part of Sense package included in the KB5005292
This package is installed under c:\programdata\Microsoft\Windows Defender Advanced Threat Protection\Platform\<version>
The application sense.exe run as a service named sense with Windows Defender Advanced Threat Protection as display name
The signature definition updates are included in KB2267602
They can be found under c:\programdata\Microsoft\Windows Defender\Definition Updates\<guid>
B - On Linux
The agent update packages are available from https://packages.microsoft.com/<os>/<version>/<channel>/<year>/Packages/m
With:
<os> your distribution such as ubuntu, amazonlinux etc
<version>: such as 16.04 for ubuntu
<channel>: insiders-fast insiders-slow and prod
<year>: such as 2023
You can retrieve previous versions from this location
When using your favourite package manager such as apt-get or yum, you need to configure the repo using https://packages.microsoft.com/config/<os>/<version>/<channel>.<extension>
For example:
sudo yum-config-manager --add-repo=https://packages.microsoft.com/config/rhel/7/prod.repo
C - On MacOS
Updates are managed using Microsoft Auto Update (MAU) and msupdate
How often updates are released?
AV and EDR prod agents are released monthly with hotfixes released when necessary.
It is highly recommended to use the latest versions and benefit from the latest features and fixes
Signature definitions are released approximately every 4 hours.
You should make sure to retrieve the latest package and check every 1-2 hours for new release.
You can subscribe to the RSS feed to be alerted when those webpages are updated, ie new version are released https://learn.microsoft.com/api/search/rss?search=%22Microsoft+Defender+Antivirus+security+intelligence+and+product+updates%22&locale=en-us
You can also integrate that feed with Microsoft Teams or Exchange Online using Power Automate. Nikkie Chapple has already demonstrated this on her blog, please have a look at Nikkie's work:
How can I manually retrieve updates?
A - On Windows
You can configure where to retrieve agent updates and signatures, either directly from Microsoft, your update orchestrator such as WSUS or config Manager (SCCM), or a central share.
To initiate a manual update of the signature definitions you can use PowerShell:
Update-MpSignature
Or command prompt:
c:\programdata\Microsoft\Windows Defender Advanced Threat Protection\Platform\<version>\MpCmdRun.exe -SignatureUpdate
To update the agents manually, go to Microsoft Update Catalog , search for and install KB4052623 (AV) or KB5005292 (EDR)
B- On Linux
Signature updates are retrieved from Microsoft and agent updates will depend on your package config file. You could edit it to refer to a local satellite, or retrieving them directly from Microsoft.
To update signature definition run:
mdatp definitions update
To update your agent, update mdatp package using your package manager for example
yum update mdatp -y
C - On MacOs
Updates are retrieved from Microsoft directly
To update signature definition run:
mdatp definitions update
To update the agent manually, open Microsoft Auto Update (MAU) and press check for update
How do I configure automatic updates?
A - On Windows
KB4052623 and KB5005292, the AV and EDR agents updates are categorised as Microsoft Defender for Endpoint product in Microsoft Update Catalog so ensure this category is enabled in your standalone WSUS server or part of your Configuration Manager farm.
Signature definitions are configured using Group Policy, Configuration Manager, Intune, PowerShell or WMI with the below settings:
SignatureFallbackOrder
SignatureDefinitionUpdateFileSharesSource
SignatureScheduleDay
SignatureScheduleTime
SignatureUpdateInterval
Reference:
Manage how and where Microsoft Defender Antivirus receives updates | Microsoft Learn
Schedule Microsoft Defender Antivirus protection updates | Microsoft Learn
Endpoint Protection antimalware policies - Configuration Manager | Microsoft Learn
Windows Antivirus policy settings for Microsoft Defender Antivirus for Intune | Microsoft Learn
SignatureFallbackOrder
This setting allows you to define the order in which different security intelligence update sources should be contacted. The value of this setting should be entered as a pipe-separated string enumerating the security intelligence update sources in order. The possible values are:
InternalDefinitionUpdateServer: Configuration Manager or WSUS
MicrosoftUpdateServer: Windows update (recommended)
MMPC: Microsoft Malware Protection center
FileShares : a File Share configured
The setting will be displayed differently depending on the deployment method:
Group Policy: Location: Computer Settings > Administrative templates > Windows components > Windows Defender > Signature updates Display name: Define the order of sources for downloading security intelligence updates
Configuration Manager: Location: Assets and Compliance > Endpoint Protection > Antimalware Policies > Security Intelligence updates Display name: Set sources and order for Endpoint Protection client updates
Intune: Location: Endpoint security > Antivirus Display name: Define the order of sources for downloading definition updates
SignatureDefinitionUpdateFileSharesSource
This policy setting allows you to configure UNC file share sources for downloading security intelligence updates. Sources will be contacted in the order specified. The value of this setting should be entered as a pipe-separated string enumerating the security intelligence update sources. For example: "{\\unc1 | \\unc2 }".
The setting will show as:
Group Policy: Location: Computer Settings > Administrative templates > Windows components > Windows Defender > Signature updates Display name: Define file shares for downloading security intelligence updates
Configuration Manager: Location: Assets and Compliance > Endpoint Protection > Antimalware Policies > Security Intelligence updates Display name: Configure Definition Update Sources and select Updates from UNC file shares.
Intune: Location: Endpoint security > Antivirus Display name: Define file shares for downloading definition updates
SignatureScheduleDay
This policy setting allows you to specify an the day to check for security intelligence updates.
The setting will show as:
Group Policy: Location: Computer Settings > Administrative templates > Windows components > Microsoft Defender Antivirus > Security Intelligence Updates Display name: Specify the day of the week to check for security intelligence updates
Configuration Manager: N/A
Intune: N/A
SignatureScheduleTime
This policy setting allows you to specify an the time to check for security intelligence updates.
The setting will show as:
Group Policy: Location: Computer Settings > Administrative templates > Windows components > Microsoft Defender Antivirus > Security Intelligence Updates Display name: Specify the time to check for security intelligence updates
Configuration Manager: Location: Assets and Compliance > Endpoint Protection > Antimalware Policies > Security Intelligence updates Display name: Check for Endpoint Protection security intelligence daily at.
Intune: N/A
SignatureUpdateInterval
This policy setting allows you to specify an interval at which to check for security intelligence updates. The time value is represented as the number of hours between update checks. Valid values range from 1 (every hour) to 24 (once per day).
The setting will show as:
Group Policy: Location: Computer Settings > Administrative templates > Windows components > Microsoft Defender Antivirus > Security Intelligence Updates Display name: Specify the interval to check for security intelligence updates
Configuration Manager: Location: Assets and Compliance > Endpoint Protection > Antimalware Policies > Security Intelligence updates Display name: Check for Endpoint Protection security intelligence at a specific interval (hours).
Intune: Location: Endpoint security > Antivirus Display name: Enter how often (0-24 hours) to check for security intelligence updates
B- On Linux
You can configure your signature update settings using the CLI, the configuration file and Intune/Defender XDR using the Security Setting Management. They can only be retrieved from Microsoft directly
There is only a single setting available:
CLI: mdatp config automatic_definition_update_enabled --value true/false
Configuration file:
{
...
"cloudService":{
"enabled":true,
"diagnosticLevel":"optional",
"automaticSampleSubmissionConsent":"safe",
"automaticDefinitionUpdateEnabled":true,
"proxy": "<EXAMPLE DO NOT USE> http://proxy.server:port/"
}
}Intune:
Reference
C -On MacOS
You can configure your signature update settings using the CLI, the Microsoft Auto Update and Intune and Defender XDR Security settings, or JAMF using the Security Setting Management. They can only be retrieved from Microsoft directly
There is only a single setting available:
CLI: mdatp config automatic_definition_update_enabled --value true/false
MAU:
Intune:
Reference
How do I monitor my update status?
Microsoft Defender XDR is where all the magic happen 🤩.
You would find built-in reports and be creative with KQL and advanced hunting.
1- Microsoft Antivirus health
You'll find an aggregated and interactive report from Defender XDR > Reports > Device health > Microsoft Antivirus health
You can customize this view with a rich set of filters
You can also export this report as CSV and find the current AV engine version, signature updates for each devices
2- Vulnerability management
You can find devices out of date from the MDVM recommendation section ( Defender XDR > Vulnerability management > Recommendations) and look for
Update Microsoft Defender for Endpoint core components
Update Microsoft Defender Antivirus definitions
The exposed devices tab will display those out of date devices and allow you to export that list.
3- KQL
I'll share a few queries to retrieve the versions of each components and will be looking more particularly at DeviceTvmSecureConfigurationAssessment
This table contains all the vulnerabilities from Defender for Vulnerability detected in your environment. Those are referred by a ConfigurationId. To retrieve the detail of every item you can use DeviceTvmSecureConfigurationAssessmentKB as shown below. We will filter that list for update only.
DeviceTvmSecureConfigurationAssessment
| join kind=leftouter (DeviceTvmSecureConfigurationAssessmentKB) on ConfigurationId
| distinct ConfigurationId, ConfigurationName, ConfigurationCategory, ConfigurationSubcategory, ConfigurationDescription, RiskDescription, ConfigurationImpact
| sort by ConfigurationId asc
|where ConfigurationName contains "Update"
We will focus on
-Scid-2011: Signatures definition updates for Windows OS - We will retrieve all components version from this item
-Scid-2030: EDR agent update for Windows OS
-Scid-5095: Signatures definition updates for MacOS
-Scid-6095: Signatures definition updates for Linux
From there we can retrieve all devices out of date as followed
let updateSCID = dynamic (["scid-2011","scid-2030","scid-5095","scid-6095"]);
DeviceTvmSecureConfigurationAssessment
| where ConfigurationId in (updateSCID) and IsCompliant == 0
//| where OSPlatform contains "WindowsServer"
| join (
DeviceInfo
| summarize by DeviceId,SensorHealthState,RegistryDeviceTag
)
on DeviceId
| where SensorHealthState == "Active"
//| where RegistryDeviceTag startswith "MyTag"
I commented 2 filters to customize the query as required: OS platform and tags (the tags referred as GROUP)
You can also render the non-compliance results as a pie chart for example
let updateSCID = dynamic (["scid-2011","scid-2030","scid-5095","scid-6095"]);
DeviceTvmSecureConfigurationAssessment
| where ConfigurationId in (updateSCID) and IsCompliant == 0
| join (
DeviceInfo
| summarize by DeviceId,SensorHealthState,RegistryDeviceTag
)
on DeviceId
| where SensorHealthState == "Active"
//| summarize by DeviceName,IsCompliant,OSPlatform,ConfigurationSubcategory,sigversion,engversion,platformversion,lastupdatetime
| summarize count() by OSPlatform
|render piechart
To retrieve the detail of your Windows devices components, use
let updateSCID = dynamic (["scid-2011"]);
DeviceTvmSecureConfigurationAssessment
| where ConfigurationId in (updateSCID)
//| where OSPlatform contains "WindowsServer2012R2"
| join (
DeviceInfo
| summarize by DeviceId,SensorHealthState,RegistryDeviceTag
)
on DeviceId
| where SensorHealthState == "Active"
| extend avdata=parsejson(Context)
| extend sigversion = tostring(avdata[0][0])
| extend engversion = tostring(avdata[0][1])
| extend platformversion = tostring(avdata[0][3])
| extend lastupdatetime = todatetime(avdata[0][2])
This configuration item retrieves 4 additional information:
-Signature definition version
-AV engine version
-EDR agent version
-And the last time an update occurred
To retrieve the version for the all platforms,
let updateSCID = dynamic (["scid-2011","scid-2030","scid-5095","scid-6095"]);
DeviceTvmSecureConfigurationAssessment
| where ConfigurationId in (updateSCID) and IsApplicable
| extend sigversion = tostring(avdata[0][0])
| extend engversion = tostring(avdata[0][1])
| extend platformversion = tostring(avdata[0][3])
| extend lastupdatetime = todatetime(avdata[0][2])Regarding the IsCompliant field used in the 2 first queries, Microsoft considers an AV out of date if it didn't update for 5 or 7d (not entirely sure). We can refine this threshold using the below query to monitor the Signature Definition update frequency.
let updateSCID = dynamic (["scid-2011","scid-2030","scid-5095","scid-6095"]);
let OutOfDateThreshold = 3d;
DeviceTvmSecureConfigurationAssessment
| where ConfigurationId in (updateSCID) and IsApplicable
| join (
DeviceInfo
| summarize by DeviceId,SensorHealthState,RegistryDeviceTag
)
on DeviceId
| where SensorHealthState == "Active"
| extend avdata=parsejson(Context)
| extend sigversion = tostring(avdata[0][0])
| extend engversion = tostring(avdata[0][1])
| extend platformversion = tostring(avdata[0][3])
| extend lastupdatetime = todatetime(avdata[0][2])
| where lastupdatetime < ago(OutOfDateThreshold)
| summarize by DeviceId,DeviceName,OSPlatform,sigversion,engversion,platformversion,lastupdatetimeHow to automate the monitoring notifications?
Overview
There is no built-in way to schedule and automate the reports generation.
You MDVM logs aren't enabled natively in Sentinel via Microsoft Defender XDR connector however it is marked as coming soon
As an alternative, we can use the Graph API and automate the query from an automation account in Azure
An Azure Automation account connect to the Graph API using a system managed identity
The Graph Advanced Hunting module is used to retrieve the out of date devices
The automation account generate a csv report
The csv report is stored in a blob storage
An email is sent to a shared mailbox/ distribution list including the csv report
Azure automation Account configuration
1- Create an Azure automation account
2- Enable the system managed identity
3- Assign Managed Identity Graph and Exchange Online permissions using the script provided in my repo:
Required permissions:
ThreatHunting.Read.All
Mail.Send
Exchange.ManagedAsApp
4- Although creating custom Azure role is not recommended, I wanted to ensure least privilege is respected for any write operation, so I've created the following roles by cloning existing roles and removing the unnecessary permissions:
Assigned Role | Cloned Role | Removed Permissions | Scope |
Reader | Storage Account | ||
Storage Account Key Reader | Storage Account Key Operator Service Role | Regenerate Storage Account Keys | Storage Account |
Storage Blob Data Appender | Storage Blob Data Contributor | Delete blob container Delete blob | Container |
Azure Automation Runbook
The runbook is configured using a PowerShell 5.1 script performing the following high level steps:
Retrieve variables
Query advanced hunting
Export report to storage account
Send email notifications
This script is available in my repo: Monitor-MDEOutOfDateDevice.ps1
You can use Azure Automation variables to store the script variables
This is the variables description:
OutOfDateThreshold: This is the threshold to consider a device as out of date. This is used in the KQL query and is in the timespan format such as 1d or 8h
StorageAccountRg: the storage account resource group
StorageAccountName: the storage account name
StorageAccountContainerName: the blob container name
NotificationSenderEmail: the notification sender email, can be a shared mailbox
NotificationRecipientsTo: the list of recipient email addresses separated by ; to be added to the To field
NotificationRecipientsCc: the list of recipient email addresses separated by ; to be added to the Cc field
Based on your schedule you will receive an email
And find the report in your storage account
Conclusion
I hope this blog will help clarifying MDE update mechanism and bring food for thoughts to monitor and keep your environment healthy. I used the Azure Automation to save the report and send a notification emails but it could also be adapted to create a Teams notification, generate an ITSM ticket or trigger an Azure LogicApp runbook. A key aspect of MDE is its visibility capabilities and combined with Microsoft ecosystem and a bit of imagination, you can achieve anything at a reasonable price.
Thanks for reading!
About William Francillette:
I am a Microsoft Solutions Architect for Threatscape specialized in Microsoft 365 security, Azure and a cloud passionate. I am a big fan of automation, DevOps and PowerShell.
I own a 'few' MS certifications and have worked in IT across multiple and diverse industries for over 15 years now.