Last week I shared in a blog post how we can easily create ring deployment groups in Entra ID. Today’s blog post describes how we can create different update policies to deploy updates for Microsoft Defender in a managed way.
Keeping Microsoft Defender up to date is critical to keep our devices secure, but as with all updates we want to control the roll-out of these updates in a managed way, so not all our devices receive the update on the same time. This to avoid an outage of all our devices when a faulty update is deployed.
Different Microsoft Defender updates
Microsoft Defender consists of multiple parts that need to be updated frequently. We have options to control the update channels for Defender platform and engines updates, which receive updates once per month.
Besides that we have the security intelligence updates, which are updated multiple times a day.
The platform updates are update to the overall Defender infrastructure, including new feature, OS level integration, bug fixes and improvements. These updates are provided in KB4052623.
The engine updates, are updates to the core scanning engine that detects and removes malware.
The security intelligence updates are the frequent updates that provide the latest threat definitions and detection logic. Therefor these updates are provided multiples times a day via KB2267602.
Defender update channels
We have different update channels available for the platform, engine and security intelligence updates.
The platform and security intelligence updates come once a month and for these we have 5 difference channels available (besides the default unconfigured option).
For the daily security intelligence we have two update channels available.
The platform and engine update channels:
| Channel | Description | Recommended use | Rollout timing |
| Beta Channel | Devices set to this channel will be the first to receive new updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. | Manual test environments, few devices of IT employees | Day 0 |
| Current Channel (Preview) | Devices set to this channel will be offered updates earliest during the monthly gradual release cycle. | Pilot devices | Shortly after Beta |
| Current Channel (Staged) | Devices will be offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population. | ~10% of production devices | After Preview |
| Current Channel (Broad) | Final stage. Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population | ~10–100% of production devices | After Staged completes |
| Critical – Time Delay | Receives updates 48 hours later than Broad. Used for critical systems. | Critical or sensitive environments | 48 hours post-rollout |
| Default (Unconfigured) | The device will stay up to date automatically during the gradual release cycle. | Most general-purpose devices | Auto-managed |
In the blog post I shared about creating ring deployment groups, we have 5 ring groups. These consist of 1 test, 1 pilot and 3 production groups. We also have 5 different update channels for the platform and engine updates, but I don’t consider the Critical – Time delay channel as suitable for these 5 groups as that channel is only meant for very critical sensitive devices. In case we need to use this channel, we would create an additional group to make sure we can exclude the device from the other deployments.
The security intelligence update channels:
| Channel | Description | Recommended Use | Rollout timing |
| Current Channel (Staged) | Midway through rollout. Used for a small portion of production devices. | ~10% of production devices | Receives updates first, shortly after internal validation |
| Current Channel (Broad) | Final stage. Used for most production devices. | ~10–100% of production devices | Receives updates after staged rollout (and shows no critical issues) |
| Default (Unconfigured) | Devices follow the standard gradual rollout automatically. | Most general-purpose devices | Auto-managed |
As you can see we don’t have much options to create different update rings for security intelligence updates, as we only have Current channel staged and broad. This is not very surprising since these updates should be rolled out as soon as possible.
But still in a managed environment we want to manage the update channel for our devices, even if you want to add all your devices in one channels as there is not that much of a difference in roll-out. This is because Microsoft will either assign the device to Current Channel (Broad) or a beta channel early in the gradual release cycle when the update channel is unconfigured. The channel selected by Microsoft might be one that receives updates early during the gradual release cycle, which may not be suitable for devices in a production or critical environment. This means that critical devices can receive security intelligence updates in a very early stage, which might be unwanted.
Defender update ring policies
I choose to create 4 different Defender update policies, as we have 4 different monthly update channels. As we have only 2 different update channels for the daily updates, we need to make a decisions how to implement these channels. And we need to make a decision in how to use our production groups. I choose to assign production groups 4 and 5 to the Defender ring 4 policy, as Microsoft describes to assign the Current channel staged to ~10% of the devices, which is about the number of devices in the ring 3 group.
| Policy name | Platform updates channel | Engine updates channel | Security intelligence channel | Included groups | Excluded groups |
| PRD WIN Defender Updates Ring 1 Test | Beta Channel | Beta Channel | Current Channel (Staged) | GRP WIN Ring 1 Test | |
| PRD WIN Defender Updates Ring 2 Pilot | Current Channel (Preview) | Current Channel (Preview) | Current Channel (Staged) | GRP WIN Ring 2 Pilot | |
| PRD WIN Defender Updates Ring 3 Production | Current Channel (Staged) | Current Channel (Staged) | Current Channel (Staged) | GRP WIN Ring 3 Production | GRP WIN Ring 1 Test/ GRP WIN Ring 2 Pilot |
| PRD WIN Defender Updates Ring 4 Production | Current Channel (Broad) | Current Channel (Broad) | Current Channel (Broad) | GRP WIN Ring 4 Production/ GRP WIN Ring 5 Production | GRP WIN Ring 1 Test/ GRP WIN Ring 2 Pilot |
You can see that on ring 3 and 4 the test and pilot group are excluded. This is because all devices are member of one of the three production groups, thus we need to exclude the assigned device groups from the policies to which the three dynamic production groups are assigned.
We could also create a fifth update ring policy, but that would most likely contain the exact same update channels as ring 4.
Configure the update ring policies in Microsoft Intune
We have different policy types available in Microsoft Intune to create our Defender update ring policies.
In the Microsoft Intune admin center under Endpoint Security, on the Antivirus tab we have the option to create a Defender Update controls policy.
But if you prefer to use a Settings Catalog policy, we also have that option available under Devices, Configuration.
Check the end-Result
On the Windows client we can check to which updates channels the machine is configured by running the below PowerShell command;
Get-MpPreference | Select *channel*
This is a device in ring 1:
This is a device in ring 4:
These values match the values described in the docs for EngineUpdatesChannel, PlatformUpdatesChannel and SecurityIntelligenceUpdatesChannel.
I hope this blog post helps you on your way in setting up your own Defender update policies.
Thanks for reading!
Ps; If you’re interested in updating Microsoft Defender during Autopilot enrollments, also read this post.
