none
'3 – Auto download and notify for install' + 'Allow Automatic Updates immediate installation' RRS feed

  • Question

  • We have configured a group policy for WSUS.
    'Configure Automatic Updates' is enabled with option '3 – Auto download and notify for install' and 'Allow Automatic Updates immediate installation' is also enabled.
    In WSUS we auto approve all definition updates.

    We would have thought that with these settings Windows Defender definition updates would auto-install on our workstations, but this is not the case.
    These Windows Defender definition updates act the same way as all other updates: Auto download and notify for install.

    What are we doing wrong?
    What do we have to do to have Windows Defender definition updates auto download and auto install?

    Tuesday, March 13, 2018 11:40 AM

All replies

  • In order to Automatic download and install update, you don’t need to do anything about GPO: Configure Automatic Updates, just set it as Not Configured.

    Enable the Allow Automatic Update Immediate Installation and updates should install immediately(include Defender definition updates).

    >>Windows Defender definition updates act the same way as all other updates.

    Yes, your thought is right.

    For WSUS environment, try this method:

    How to use Windows Server Update Services (WSUS) to deploy definition updates to computers that are running Windows Defender

    https://support.microsoft.com/en-sg/help/919772/how-to-use-windows-server-update-services-wsus-to-deploy-definition-up

    Regards


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, March 14, 2018 1:40 AM
    Moderator
  • We have configured WSUS as described in your link.
    What we like to achieve is that our users can install the (monthly) security updates when it fits for them, only the definition updates should install automatically without user interaction.

    We thought that this was possible with the Configure Automatic Updates policy enabled with option '3 – Auto download and notify for install' and the Allow Automatic Updates immediate installation policy enabled.
    But this does not seem to work, the users get a notification that they have to install the definition updates, the same as with other updates.

    Wednesday, March 14, 2018 3:23 PM
  • I'm having issues with GPO as well but not exact same as you. In my instance I have notify for download and notify for install which doesn't always work.

    My thread

    But, in my thread i added my observation about virus definition updates.

    What I noticed is that virus definitions do auto update, event though windows is set to notify for updates.  But, virus definitions will only auto update until other Windows updates become available, then it stops. So, as soon as other updates are discovered, it stops auto updating the virus definitions. 

    The behavior seems to be very inconsistent when using a GPO to control the updates. 

    Wednesday, March 14, 2018 4:05 PM
  • We have just begun adding Windows 10 PCs to our local network and are seeing the same behavior you described.  The odd thing is that on our Windows 7 PCs, these same GPO settings allow the Defender updates to automatically install.

    Monday, March 26, 2018 8:31 PM