By default, Microsoft Defender Antivirus will check for an update 15 minutes before the time of any scheduled scans. Scheduling the checking process for Security Intelligence updates disables this feature.
Checking for Security intelligence updates can be scheduled using Configuration Manager, GPO, PowerShell and even WMI. Here is the screenshot from Configuration Manager where Check for Endpoint Protection security intelligence updates at a specific interval is set to 0 and Check for Endpoint Protection security intelligence updates daily at is set to 2:00 A.M. It means that every day at 2 A.M, security intelligence updates will be checked and downloaded at one of the source (see next topic).
Also, notice the next setting “If Configuration Manager is used as a source for security intelligence updates, clients will only update from alternative sources if security intelligence is older than (hours),” which is quite self-explanatory.As mentioned earlier, GPO settings are also be used to define the order of source for downloading definition updates.
Cloud-delivered protection or MAPS can be enabled or disabled using Microsoft Intune, Microsoft Endpoint Configuration Manager, Group Policy, PowerShell cmdlets, or on individual clients in the Windows Security app (Windows security app is the new GUI for windows defender).It’s a collection of multiple protection engines that provide near-instant, automated protection against new and emerging threats. It utilizes machine learning to deliver protection to the endpoints. Read more about it right here. The cloud-delivered protection is always on and requires an active connection to the Internet to function. To ensure proper network connectivity is in place, visit configure and validate network connections. There are bunch of URLs that need to be allowed on the firewall towards internet.Below screenshot is from the same Antimalware policy in Configuration Manager where settings related to Security Intelligence updates are configured.
As mentioned earlier, GPO can also be used to enable Cloud-delivered protection.Computer Configuration/Policies/Administrative templates/Windows components/Windows Defender Antivirus/MAPS
Suppose, source for Security Intelligence Updates (heading no. 2), does not matter where it is configured (GPO, Configuration Manager, PowerShell or WMI), and are defined as follows:
Quite obviously, there is no compulsion on using all five. I have mentioned all of them just for the sake of entirety.The next step is to create a deployment method for the delivery of security intelligence and engine updates to the endpoints. Since Endpoint Configuration Manager is at the top, it will be contacted first. If it fails, next source in order, which is WSUS, will be contacted, then Microsoft Updates, MMPC and finally File Shares.Configuration Manager Software Updates can be used to automatically deliver security intelligence updates to endpoints. This includes, at a higher level, creating a Deployment package and an ADR (Automatic Deployment Rule).Deployment package is like a container that is used to download updates on a file share folder. Then source files of the updates are copied over to the content library on site servers and on distribution points. Below images represent a Deployment package that we will use in the ADR.
As the name suggests, ADR or Automatic Deployment Rule is used for Automatic deployment of software and definition updates to a target Collection (a group of devices). Below screenshots represent an ADR that uses a Deployment package from above screenshots.
Similarly, other sources should be configured.
In the second screenshot at the beginning of this article and 1st screenshot of Cloud-delivered Protection heading, you can see that settings related to Security Intelligence updates and Cloud Protection services were configured. There are many other settings, along with Security Intelligence and Cloud Protection, which make up an Antimalware Policy like Scheduled scan, Scan, Exclusions and Threat overrides. Below screenshots represent those settings.
Since Microsoft Defender Antivirus is installed as a core component of Windows 10, Windows Server 2016 and 2019, traditional deployment of Defender Antivirus client is not required. All you have to do is manage Microsoft Defender Antivirus on the endpoints.
With that said, Endpoint Configuration Manager allows to deploy Endpoint protection client to manage Microsoft Defender. This is useful for windows 8.1 and earlier computers. Windows 10 and Windows server 2016 and Windows Server 2019 do not require any additional client. For these operating systems, a management client for Windows Defender is installed when the Configuration Manager client is installed.
Below screenshot represents default client setting for Endpoint Protection. You can choose to create custom client settings.
Everything we have seen so far is sufficient to protect manually provisioned servers and persistent desktops. PVS (Citrix Provisioning) and MCS provisioned non-persistent machines present a new set of challenges as the base disk is read-only and the traditional monthly patching of the base disk is not enough to ensure protection against emerging threats.The frequency of Defender definition updates is at least once or even more than once per day. Letting updates to occur (write-cache or differential disk) every time a non-persistent VM is rebooted has an adverse effect on performance as unpacking of downloaded security intelligence updates consumes CPU and Memory on individual machines. Although security intelligence updates are incremental and short in size due to the frequency of release, it has an impact on Network usage, as the size of the delta (difference between latest update and the update installed on the base image) may be huge. In short, the older the updates on an endpoint, the larger the download will be. It is also important to understand that the reboot process of a non-persistent VM is a window of opportunity for malware to infect the machine because the VM is only protected against the malware, which are known to security intelligence updates that are installed on the base disk.
The best way to contend with all of these obstacles pertaining to Non-persistent VMs is to have a VM, a host machine, which can download and un-package security intelligence updates, at a regular interval, on a file share to be consumed by non-persistent VMs. This is called Shared security intelligence update feature. This way, non-persistent VMs do not have to download and un-package security intelligence updates every time they are rebooted because this CPU/Memory/Disk/Bandwidth intensive process of downloading and unpackaging has been offloaded to a host machine. You can enable Shared security intelligence update feature by enabling “Define security intelligence location for VDI clients” GPO and then defining the path to the file share.
The last hurdle is to minimize window of opportunity. This can be very well dealt with the help of “Initiate Security Intelligence on startup” and “Check for the latest virus and spyware security intelligence on startup” GPO. These GPO settings inform VMs to update security intelligence on startup when there is no antimalware engine present and check for the latest AV and spyware updates at startup respectively.
Final, and most important, cadence is to configure Startup, shared security, order of source and other optimization GPOs like “Disable scans after an update,” “Enable headless UI mode,” etc. on Master vDisk or golden image.
The procedure to implement Microsoft Windows Defender for Citrix Virtual Apps and Desktops non-persistent VMs is already available at this tech community article by Jesse Esquivel, therefore, I have decided not to re-write or re-phrase the instructions here. In addition to that, I don’t think I can build a better mousetrap, because when I first deployed this solution, I followed the same article.
Please feel free to post your queries in the comment section or reach out to me directly.
Member of the Month
Learn about CUGC Blogging Guidelines.
Are you a CUGC member who wants to write a blog post? Contact us.