Microsoft Defender Delayed Updates
While CrowdSrtike had a massive outage, CISOs and many security managers asked me about delaying updates in Microsoft Defender. This article discusses these possibilities. Still, you should decide what is best for your organization and technological environment.
One update to rule them all! Who will guard the guards?
The recent event of Crowdstrike, perhaps the most extensive IT failure in history, reopened the discourse of dependence on security providers, risk management, effects, and consequences.
Undoubtedly, the update that came out and then crashed hundreds of thousands of organizations worldwide, small and large, whether it had a minimal impact or a critical impact, led many CISOs, security managers, etc, to raise the conversation again.
The conversation raised many essential topics and issues. I added several of them out of many:
– Risk management with security providers.
– Rejecting immediate updates.
– Pause updates for a certain period or using Ring models.
– Updates in a testing environment.
– Possibility of disaster recovery in extreme situations (after a failed update).
The glitch that happened to Crowdstrike can happen to any vendor. Moreover, it has already happened to some security vendors, including in BSOD situations. Still, not to such an extent. Most organizations do not know what is injected in the update and the importance of the impact on a server or workstation. They move on because there are more important things. Is it so?
Delaying updates in SaaS platforms is interesting because this is not possible with most security providers. Perhaps this will change following the demand of security managers and organizations.
Risk is here and not from a security perspective
One of the topics that came up was risk management, not security aspects. As we know, risk management involves detecting risks, measuring them, deciding on the type of response to be given to them, and paying attention to and constantly monitoring them. As such, it must be maintained continuously to reduce the impact of risks on achieving the company’s goals.
Risk management in the organization will improve internal controls and streamline work processes, reduce operational risks and risks of embezzlement and fraud, allow greater transparency of information and knowledge, and allow a high degree of supervision and control over the activities of the organization’s employees.
Now, let’s consider risk management from a different angle. We do not have complete control over what is happening as an organization. How do we manage such a risk? Can we communicate what is being done?
Postponing updates for Microsoft Defender XDR (Extended Detection and Response) can pose several risks and issues, significantly impacting an organization’s security posture and operational effectiveness. Here are some key risks and issues to consider: Vulnerability Exposure, Reduced Threat Detection and Response Capabilities, Compliance and Regulatory Issues, Increased Attack Surface, etc. They can also cause operational disruptions, resource Drains, etc.
What should be the balance between security, operation, and impacts? The Microsoft Defender XDR provides agents with some of the tools. Others are based on APIs. What can we do with the existing Defender XDR? Which platform could be delayed? What control do we have? How can we ensure security and lower the risk of operational issues?
Microsoft Defender Postpone Update
Some Microsoft Defender, mostly Microsoft Defender for Identity (MDI) and Microsoft Defender Anti-Virus (MDAV), can postpone the update. Below are tips and actions on how to delay it.
Defender for Identity Sensors
Microsoft Defender for Identity works with a local sensor required on each domain controller. The strong recommendation is full coverage of all DCs in the Active Directory environment. Not else. That means we can have many MDI sensors.
Defender for Identity sensor update types
Microsoft Defender for Identity sensors supports two kinds of updates:
- Minor version updates:
- Frequent
- Requires no MSI install, and no registry changes
- Restarted: Defender for Identity sensor services
- Major version updates:
- Rare
- Contains significant changes
- Restarted: Defender for Identity sensor services
Given the rapid speed of ongoing Defender for Identity development and release updates, you may define a subset of your sensors as a delayed update ring, allowing for a gradual sensor update process. Defender for Identity lets you choose how your sensors are updated and set each sensor as a Delayed update candidate.
Sensors not selected for the delayed update are updated automatically each time the Defender for Identity service is updated. Sensors set to Delayed update are updated 72 hours after the official release of each service update.
The delayed update option enables you to select specific sensors as an automatic update ring, on which all updates are rolled out automatically. That can set the rest of your sensors to update on delay, giving you time to confirm that the automatically updated sensors were successful.
Note: MDI sensors selected for delayed updates start their update process 72 hours after updating the Defender for Identity cloud service. These sensors will then use the same update process as automatically updated sensors.
Delayed Updates Settings
The delayed updates of the MDI sensors are a quick action on the Microsoft Defender XDR portal. The sync might take a few minutes once the setting is moved to the delayed update option.
Note: There is no impact on Domain Controllers after this change. Still, check it in a controlled manner.
More information about Microsoft Defender for Identity sensors and delayed updates.
MDI Sensor Update Exprience
Go to the’ C: Program FilesAzure Advanced Threat Protection Sensor’ folder to check the MDI update.
Then, go to the Log folder in the specific version and check the log ‘Microsoft.Tri.Sensor.Updater.log’.
The Microsoft.Tri.Sensor.Updater.log is used for the sensor updater process, automatically updating the Defender for Identity sensor if configured.
The configuration changes will be also in the primary log of: ‘Microsoft.Tri.Sensor.log’.
Microsoft Defender Defender AntiVirus (MDAV)
The updates for Microsoft Defender Antivirus are divided into three different update types, each with a different update cadence. The table below provides an overview of those update types. The updates come out in release cycles: monthly engine/platform updates and daily security intelligence updates.
| Update type | Cadence | Description |
|---|---|---|
| Engine updates | Monthly | This update type contains new engine updates provided with the security intelligence updates. |
| Platform updates | Monthly | This update type contains new platform updates. |
| Security intelligence updates | Daily (multiple) | This update type contains new security intelligence updates (definitions). |
Monthly Update Channels
You can assign a machine to an update channel to define the cadence in which a machine receives monthly engine and platform updates.
To get that under more control, you can manage the update channel for your environment. The table below provides the required numbers of the update channels and the relation between the different update types. You should configure the required number in Microsoft Intune, Grouip Policy, SCCM, and any other device management platform.
|
Updates channel |
Value | Update type |
| Not configured (Default). |
0 |
Engine updates, platform updates, security intelligence updates |
| Beta Channel – Prerelease |
2 |
Engine updates, platform updates |
| Current Channel (Preview) |
3 |
Engine updates, platform updates |
| Current Channel (Staged) |
4 |
Engine updates, platform updates, security intelligence updates |
| Current Channel (Broad) |
5 |
Engine updates, platform updates, security intelligence updates |
| Critical – Time delay | 6 | Engine updates, platform updates |
The two options that can be optional to delay update can be:
- Current Channel (Broad): Get updates at the end of the gradual release. Devices will be offered updates only after the gradual release cycle is complete. This can be applied to a broad set of devices in your production population.
- Critical (Time Delay): Defender updates offer Device updates with a 48-hour delay. This option is best for devices with limited updates and critical environments only.
Security Intelligence Update Channels
You can also assign a machine to a channel to define the cadence in which it receives signature, definition, or daily updates. Unlike the monthly process, there’s no Beta channel, and this gradual release cycle occurs multiple times daily.
Microsoft recommendations: In most cases, the recommended configuration when using Windows Update is to allow endpoints to receive and apply monthly Defender updates as they arrive. This option provides the best balance between protection and possible impact associated with the changes they can introduce.
Gradual Rollout
When planning for gradual release, please always have a selection of devices subscribed to the preview and staged channels. This will allow your organization and Microsoft to prevent or find and fix issues specific to your environment.
- Multiple update channels are available to gradually roll out the different update types.
- The number of available update channels is related to the update cadence.
- The monthly updates provide many channels to gradually roll out those updates throughout the environment.
- The daily updates provide fewer available update channels simply because of the importance of those updates and the quick turnaround time.
Create a custom gradual rollout process for Microsoft Defender updates.
Configuring Defender Antivirus Updates Channels
The Microsoft Defender Antivirus updates channels’ configuration starts with the Antivirus policies. Those policies now also include the Defender Update controls profile, which can be used to easily configure the channels. The settings within that profile rely on the Defender CSP and are now available via the Settings Catalog. The following eight steps walk through the configuration using the new Defender Update controls profile.
- Engine Updates Channel: Select the channel for the engine updates needed for the assigned devices by choosing from the available channels as described in the table above.
- Platform Updates Channel: Select the channel for the platform updates needed for the assigned devices by choosing from the available channels as described in the table above.
- Security Intelligence Updates Channel: As described in the table above, select the channel for the security intelligence updates needed for the assigned devices.
If you’re using Microsoft Intune, the update can be: “Critical: Time Delay” for Windows 10 and higher.
You should complete the policy and apply it to the required devices.
Note: The Channel depends on your systems and can be changed in each environment. This means it can be configured as a Current Channel (Broad) or else.
Windows Client Exprience
Once the Windows Update or the MDAV update occurs, you can check which Windows client receives the update, the policy version, etc.
The checking from PowerShell can be with the Get-MpPreference cmdlet with specific settings.
The image above is a default setting. The changes should be made using the Intune policy or equivalent.
Compare the version between the Cloud and the Client
Some of the devices can be on various versions. If you want to see the latest version, you can do so through the REST API with the command:
What if you want to compare the device and cloud versions? You can run the following script.
MDAV local and Cloud version comparison PowerShell script
# Step 1: Retrieve the list of versions from the provided URI
$uri = “https://www.microsoft.com/security/encyclopedia/adlpackages.aspx?action=info”
$response = Invoke-RestMethod -Uri $uri
$versions = $response | Select-Object -ExpandProperty versions# Step 2: Get the current Windows AV version installed on your system
$currentAVVersion = (Get-MpComputerStatus).AMProductVersion
# Step 3: Compare the current AV version with the retrieved versions
$matchFound = $false
foreach ($version in $versions) {
if ($currentAVVersion -eq $version) {
Write-Output “Match found: Current AV version ($currentAVVersion) matches version from server ($version)”
$matchFound = $true
}
}
if (-not $matchFound) {
Write-Output “No match found: Current AV version ($currentAVVersion) does not match any version from server.”
}
Endpoint AV version report with KQL
The query from the Microsoft-365-Defender-Hunting-Queries provides an MDAV report. With a few changes, it can be refined to produce more accurate results.
MDAV Update Folder
The updates will be in the following folder: C:\ProgramData\Microsoft\Windows Defender\Platform.
Updates Highlights
- Platform updates can be temporarily postponed if other protection features, such as Endpoint DLP or Device Control, are actively monitoring running processes. They are retired after a reboot or when all monitored services are stopped.
- Monthly updates are released in phases, resulting in multiple packages visible in your Update Services.
- Inside the Updates: The update may contain Performance improvements, Serviceability improvements, and Integration improvements (Cloud, Microsoft Defender XDR).
- Security and Critical Updates servicing phase – When running the latest platform and engine version, you can receive Security and Critical updates to the anti-malware platform.
How to roll back an update
If you encounter issues after a platform update, you can roll back to the Microsoft Defender platform’s previous or inbox version.
- To roll back to the previous version, run the following command: “%programdata%\Microsoft\Windows Defender\Platform\<version>\MpCmdRun.exe” -RevertPlatform
- To roll back this update to the version shipped with the Operating System: “%programdata%\Microsoft\Windows Defender\Platform\<version>\MpCmdRun.exe” -ResetPlatform
