locked
Definition Update for Windows Defender RRS feed

  • Question

  • Hi.

    I’m running a bunch of Windows Server 2016. They all used WSUS to report Windows Update level but sadly, for me, they never report 100% patch in WSUS because there is always a new “Definition Update for Windows Defender” pending to install. Anyone has found anyway to have those install automatically? The only idea I had right now is to run the “Update-MpSignature” PowerShell command via scheduled task multiple time a day.

    Anyone has any suggestion on this? (P.S. I don’t have SCCM)

    Thank you.

    Thursday, December 14, 2017 5:09 PM

All replies

  • Using GPO, enable the 'Allow Automatic Update Immediate Installation' and those definition updates should install immediately.

    Change the frequency of detection to an appropriate time depending on how you have your WSUS Sync Setup. (once a day or multiple times a day)


    Adam Marshall, MCSE: Security
    http://www.adamj.org
    Microsoft MVP - Windows and Devices for IT

    Friday, December 15, 2017 1:37 AM
  • Hi.

    I can’t use this option because all the other updates must be installed manually.

    Thank you.

    Friday, December 15, 2017 2:49 AM
  • Hi.

    I can’t use this option because all the other updates must be installed manually.

    Thank you.

    Why do they have to be installed manually?

    Change how you think; change your life!

    Set updates to install daily at a time where people ARE using their computer (like 3pm or 4pm). Set the allow automatic immediate installation. Set for the systems to reboot outside of active hours.

    DO NOT auto approve updates to WSUS (except for your definition files)

    Manually approve your updates to your test group(s) (assuming you have them). Wait for the systems to check in and download and install the updates, and reboot outside of active hours. While the testing is going on, all definition updates are being approve and distributed to clients. Once testing is done, approve the updates to your production group and let the systems update and reboot outside of active hours.


    Adam Marshall, MCSE: Security
    http://www.adamj.org
    Microsoft MVP - Windows and Devices for IT

    Friday, December 15, 2017 2:59 AM
  • This way is efficient (I take less than 15 min a month approving updates).

    As for the WSUS Maintenance that one should be performing regularly that would normally take up more time... - Have a peek at my Adamj Clean-WSUS script. It is the last WSUS Script you will ever need!

    http://community.spiceworks.com/scripts/show/2998-adamj-clean-wsus

    What it does:

    1. Add WSUS Index Optimization to the database to increase the speed of many database operations in WSUS by approximately 1000-1500 times faster.
    2. Remove all Drivers from the WSUS Database (Default; Optional).
    3. Shrink your WSUSContent folder's size by declining multiple types of updates including by default any superseded updates, preview updates, expired updates, Itanium updates, and beta updates. Optional extras: Language Packs, IE7, IE8, IE9, IE10, Embedded, NonEnglishUpdates, ComputerUpdates32bit, WinXP.
    4. Remove declined updates from the WSUS Database.
    5. Clean out all the synchronization logs that have built up over time (configurable, with the default keeping the last 14 days of logs).
    6. Compress Update Revisions.
    7. Remove Obsolete Updates.
    8. Computer Object Cleanup (configurable, with the default of deleting computer objects that have not synced within 30 days).
    9. Application Pool Memory Configuration to display the current private memory limit and easily set it to any configurable amount including 0 for unlimited. This is a manual execution only.
    10. Checks to see if you have a dirty database, and if you do, fixes it. This is primarily for Server 2012 WSUS, and is a manual execution only.
    11. Run the Recommended SQL database Maintenance script on the actual SQL database.
    12. Run the Server Cleanup Wizard.

    It will email the report out to you or save it to a file, or both.

    Although the script is lengthy, it has been made to be super easy to setup and use so don't over think it. There are some prerequisites and instructions at the top of the script. After installing the prerequisites and configuring the variables for your environment (email settings only if you are accepting all the defaults), simply run:

    .\Clean-WSUS.ps1 -FirstRun

    If you wish to view or increase the Application Pool Memory Configuration, or run the Dirty Database Check, you must run it with the required switch. See Get-Help .\Clean-WSUS.ps1 -Examples

    If you're having trouble, there's also a -HelpMe option that will create a log so you can send it to me for support.


    Adam Marshall, MCSE: Security
    http://www.adamj.org
    Microsoft MVP - Windows and Devices for IT

    Friday, December 15, 2017 3:01 AM
  • Hi.

    I can’t use this option because all the other updates must be installed manually.

    Thank you.

    Hi,

    >>The only idea I had right now is to run the “Update-MpSignature” PowerShell command via scheduled task multiple time a day.

    If you can not enable that GPO , I'm afraid using scheduled task might be the only option to cover your needs as you mentioned .

    Best Regards,

    Elton


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, December 15, 2017 5:27 AM
  • Adam, your answers are not useful at all. I must install the update manually for business reason. At least, Elton answer correctly.

    Anyone else has any idea?

    Friday, December 15, 2017 12:53 PM
  • Adam, your answers are not useful at all. I must install the update manually for business reason. At least, Elton answer correctly.

    Anyone else has any idea?

    I will stop posting in this thread, but before I do, I'd like make an analogy. If you use DHCP Reservations, Why use DHCP Reservations when you could use static IPs instead? They accomplish the same goals, the same IP all the time for the client. They do it differently, but accomplish the same goals. The difference is when you need to change something - like DNS or maybe even the IP Scope. The manual way requires a manual change on EVERY statically assigned system. The one through DHCP Reservations require a change on the scope, and nothing else other than time (or a reboot) making the reservations MUCH easier to manage when needed. My thought process is 'outside' the box we'll say, but it accomplishes the same goals.

    I hope you find the answer you're looking for.


    Adam Marshall, MCSE: Security
    http://www.adamj.org
    Microsoft MVP - Windows and Devices for IT

    Friday, December 15, 2017 1:21 PM