Automatic virus definition updates for Defender

Topic

New Reply

In #2348367, @Bob99 wrote:

You can use GP to edit the behavior of Windows Defender in terms of automatically updating itself, so that it automatically updates itself after each time the computer starts and the Windows Defender service starts.

However, I haven’t seen an entry that would dictate that Windows Defender should check for updates, say, every 2 or 4 hours. If that type of setting exists, I’d be very interested in seeing it and just maybe tweaking it a bit.

If you’re confident in looking into the group policy editor, I can tell you just where the entry lies that will allow your copy of Windows Defender to automatically update itself every time the computer and its service restart.

@Bob99 – I have no problem in using the group policy editor, so I would appreciate knowing where to find the setting that directs Defender to update it virus definitions automatically every time the computer starts.

However, if Defender already receives virus definition updates automatically and regularly even when GP=2 (Configure Automatic Updates in the group policy editor set to “Enabled” with a value of “2” (Notify)), what is the point of this additional setting?

Reply | Quote

Replies

TonyC wrote:

However, if Defender already receives virus definition updates automatically and regularly even when GP=2 (Configure Automatic Updates in the group policy editor set to “Enabled” with a value of “2” (Notify)), what is the point of this additional setting?

The Group Policy setting to notify download/install (“2”) controls the action of Windows Update where it pertains to Cumulative Updates, Servicing Stacks, .Net Cumulative Updates (not necessarily Previews), updates for other MS products, etc. It prevents the automatic download of the updates from the Windows Update queue until the “Download” button (NOT “check for updates”) is clicked. The updates remain in the queue, giving the User a control of updating that the on-off function of “Pause” does not give.
If you use this function, you should NOT also use Pause. If you use Pause in addition to “2,” when you “Resume updates,” it will ignore the “2” (notify) and immediately begin the download/install of updates. This is explained in AKB2000016.

In my experience, the Defender updates will go ahead and install regardless of the “2” setting.

1 user thanked author for this post.

TonyC

Reply | Quote

I wasn’t planning to use Pause anyway, and I have read AKB2000016 a number of times.

However, the information in your last sentence was good to read. Thank you.

Reply | Quote

Hi @TonyC !

You’re going to want to go to the following location to enable Windows Defender to automatically check for updates every time the computer starts and the Windows Defender service starts:

Local Computer Policy>Administrative Templates>Windows Components>Microsoft Defender Antivirus>Security Intelligence Updates

All of those are folder names within Group Policy. Once you’re in the Security Intelligence Updates folder, you’ll see a list of policies/preferences. Go down the list to the very last one. It should be labeled “Check for the latest virus and spyware security intelligence on startup”. This is the only one you need to change. Double click on that policy name to bring up its properties box, and click the “Enabled” setting and then click “OK”. Then close the policy editor.

A word of caution, though. There is a similarly-named setting a ways above the one I just mentioned, and it’s called “Initiate security intelligence update on startup”. This one should be left set to “Not configured”, as that will make things work just fine. Per the explanation that accompanies it, “If you enable or do not configure this setting, security intelligence updates will be initiated on startup when there is no antimalware engine present.”

R/

Bob99

Reply | Quote

[TonyC]

@Bob99

Thank you. When I connect to the Internet for the first time, I just going to have to wait and see what happens. But, before I connect for the first time, I will ensure Defender’s virus definitions are up to date by running the latest mpam-fe.exe file. Then, every time I logon subsequently, I will check to see whether Defender’s virus definitions are being updated automatically.

If it transpires that they are not being updated automatically, I will try your suggestion. If that doesn’t work, then I will have to revert to my original plan of writing a batch script to do the job and scheduling it to run on a regular basis.

I have also glanced at the “Initiate security intelligence update on startup” setting in gpedit, but I don’t really understand its description.

• This reply was modified 4 years, 2 months ago by TonyC.

Reply | Quote

Personally I would just use the PowerShell Update-MpSignature cmdlet. That’s what it’s there for.

Hope this helps…

Reply | Quote

I was originally under the impression that, if GP=2 (Configure Automatic Updates in the group policy editor set to “Enabled” with the value “2” (Notify)), Defender would not receive virus definition updates automatically. I was therefore preparing to configure a scheduled task to run a batch script containing the sequence of commands documented in https://www.microsoft.com/en-us/wdsi/defenderupdates. This sequence uses the MpCmdRun.exe command, not the PowerShell cmdlet that you mentioned.

Two queries:

• If, as others have indicated, Defender still receives virus definition updates automatically despite the setting GP=2, what is the point of doing anything else?
• I’m not familiar with PowerShell cmdlets. Does the use of the cmdlet that you mentioned have any distinct advantage over the MpCmdRun.exe command?

Reply | Quote

TonyC wrote:

I’m not familiar with PowerShell cmdlets. Does the use of the cmdlet that you mentioned have any distinct advantage over the MpCmdRun.exe command?

No advantage at all. Just different methods of calling the exact same functionality. If you’re more comfortable with MpCmdRun.exe and a batch script then IMO they are easier to schedule than PowerShell cmdlets.

1 user thanked author for this post.

TonyC

Reply | Quote

Thank you for your contribution. Yes, I guess it is a matter of what you are comfortable with. I’ve written many batch scripts in my time.

Reply | Quote