Defender for Servers - Staging your updates (be careful!)

James Agombar
Jul 22, 2024
4 min read

Updated: May 7

So you're considering deploying Microsoft Defender to your server estate, but you're concerned about controlling how often they update, Microsoft has you covered.

But there are caveats at the end!

This example will guide you through the updating features of Defender for Servers on Windows, empowering you with the necessary knowledge to mitigate potential risks according to your security risk tolerance.

Our policy tool of choice for this will be the Defender XDR portal (did you know you can now manage your policies there instead of Intune?).

Open the Defender XDR Portal (security.microsoft.com), and go to Endpoints > Configuration Management > Endpoint Security Policies. Select Windows Policies > click "Create new Policy" Select the platform from the drop down "Windows 10, Windows 11, and Windows Server" Select the template "Defender Update controls" Click Create

2. Give the new policy a name e.g. Defender for Servers - Update Policy and click Next. I highly recommend a consistent approach to your policy naming convention, so things look tidy when everything is done.

3. Now this is where you can tailor your update channels to be really specific for your Engine, Platform and Security Intelligence updates.

I can't tell you what settings you should use, as this where risk management comes in to action. Instead I'll show you what settings are available and examples provided by Microsoft for guidance.

Engine Updates Channel

Enable this policy to specify when devices receive Microsoft Defender engine updates during the monthly gradual rollout.

Policy	Example
Not configured (Default). The device will stay up to date automatically during the gradual release cycle.	Suitable for most devices
Beta Channel: Devices set to this channel will be the first to receive new updates.	Select Beta channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. For use in (manual) test environments only and a limited number of devices
Current Channel (Preview): Devices set to this channel will be offered updates earliest during the monthly gradual release cycle.	Suggested for pre-production/validation environments
Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle.	Suggested to apply to a small, representative part of your production population (~10%)
Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes.	Suggested to apply to a broad set of devices in your production population (~10% - 100%)
Critical - Time delay. Devices will be offered updates with a 48-hour delay.	Suggested for critical environments only

Platform Updates Channel

Enable this policy to specify when devices receive Microsoft Defender platform updates during the monthly gradual rollout

Policy	Example
Not configured (Default). The device will stay up to date automatically during the gradual release cycle.	Suitable for most devices
Beta Channel: Devices set to this channel will be the first to receive new updates.	Select Beta channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. For use in (manual) test environments only and a limited number of devices
Current Channel (Preview): Devices set to this channel will be offered updates earliest during the monthly gradual release cycle.	Suggested for pre-production/validation environments
Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle.	Suggested to apply to a small, representative part of your production population (~10%)
Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes.	Suggested to apply to a broad set of devices in your production population (~10% - 100%)
Critical - Time delay. Devices will be offered updates with a 48-hour delay. Suggested for critical environments only	Suggested for critical environments only

Security Intelligence Updates Channel

Enable this policy to specify when devices receive Microsoft Defender security intelligence updates during the daily gradual rollout.

Policy	Example
Not configured (Default). The device will stay up to date automatically during the gradual release cycle.	Suitable for most devices
Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle.	Suggested to apply to a small, representative part of your production population (~10%)
Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes.	Suggested to apply to a broad set of devices in your production population (~10% - 100%)

Applying Policies (be careful here)

Here's the gotcha, and it relies on you having a good grasp of identifying your managed assets within Azure.

Microsoft provide several ways to assign policies to assets;

Security Group (includes Dynamic)
Scope Tags (only available in the Intune Portal)
Assignment Filters (only available in the Intune Portal)

When managing a large network of servers the initial step is to compile a comprehensive list of all assets and categorise them according to their specific purpose and level of criticality. Following this segregation process, you can proceed to assign the appropriate update policies to each server accordingly.

Need some help?

With extensive experience in managing multiple vendor enterprise-level Antivirus platforms, Security Ninja can assist you in identifying potential pitfalls and levels of intricacy that you may not have previously considered.

Get in touch now for a free 30 minute conversation