+|Sharing a document, library, or site by email with someone outside of your organization|This feature is available, but off by default as using it could make files shared accessible outside of your country/region. Administrators do have the ability to turn it on, but will get a warning message indicating that it could make files shared accessible outside of your country/region. Users who attempt to share with someone outside of the organization will also receive a warning. For more information, see [Share SharePoint files or folders in Office 365](https://support.microsoft.com/office/1fe37332-0f9a-4719-970e-d2578da4941c).|

+|Ability to translate text or pages|Available, but off by default. Tenant admins can turn this ability on, but the translation cloud service may be located outside your country/region. If you do not want users to send content to a translation cloud service, you may keep these features disabled.|

+|Public website features|Public websites are available only if you purchased Office 365 before March 9, 2015. However, Bing maps, external sharing, and comments are not available in a public web site as these features may send data outside of your country/region.|

+|SharePoint Store|The Office and SharePoint App Stores are optional services operated by Microsoft Corporation or its affiliate from any of Microsoft's worldwide facilities. The apps available in the Store are provided by various app publishers, and are subject to the app publisher's terms and conditions and privacy statement. Your use of any of these apps may result in your data being transferred to, stored, or processed in any country/region where the app publisher, its affiliates or service providers maintain facilities. Please carefully review the app publisher's terms and conditions and privacy statements before downloading and using such apps.|

+|Places feature|This feature shows maps of addresses in email; because it may allow data outside of your country/region, it is not available.|

+|Save to OneDrive for Business while signed in with a Microsoft account|To keep your data within your country/region, you cannot save a document to your organization site (OneDrive for Business) when you are signed in to Office with a Microsoft account.|

+|Ability to translate text or pages|This feature is available, but off by default. Administrators do have the ability to turn it on, but will get a warning message indicating that it could make data accessible outside of your country/region.|

+> Replacing a payment method doesn't delete the existing payment method. It's still available for you to select and use for other subscriptions and billing profiles. Learn how to delete a payment method.

+| Tax |The type and amount of tax that you pay, depending on the country/region of your billing profile. If you don't have to pay tax, no tax is shown on your invoice. |

+| Tax rate | Tax rate, depending on the country/region |

+| "The requested subscription is not available. One of the following reasons could have caused this: The offer is not available - The service is not available in your country/region - It is impossible to use/select the same trial twice. If the issue persists, contact Microsoft support." | Please [contact support](../admin/get-help-support.md)[contact support](../admin/get-help-support.md). If you're working with a partner, contact your partner for support. |

+The Microsoft 365 Advanced Data Residency add-on ("ADR") provides eligible customers with expanded coverage of Microsoft 365 workloads and Customer Data, committed data residency for local country/region datacenter regions, and prioritized tenant migration services. With Advanced Data Residency, enterprise customers can best address their data residency compliance and tenant location requirements.

+We strongly believe that you can achieve the best value and user experience by migrating to Microsoft 365. But we also understand that some organizations need to keep their email on-premises. This could be because of regulatory requirements, to guarantee data isn't stored in a datacenter located in another country/region, or similar. If you choose to keep your email on-premises, you can migrate your Exchange 2007 environment to Exchange 2010, Exchange 2013, or Exchange 2016.

+- Hong Kong Special Administrative Region

+ Title: Pilot ring deployment using Group Policy and Windows Server Update Services

+description: Microsoft Defender Antivirus is an enterprise endpoint security platform that helps defend against advanced persistent threats. This article provides information about how to use a ring deployment method to update your Microsoft Defender Antivirus pilot clients using Group Policy and Windows Server Update Services (WSUS).

+keywords: Deploy Microsoft Defender Antivirus updates, pilot ring deployment Microsoft Defender Antivirus, Microsoft Defender Antivirus Group Policy, Microsoft Defender Antivirus Windows Server Update Services (WSUS), Microsoft Defender Antivirus Group Policy Windows Server Update Services (WSUS), threat intelligence, cybersecurity, cloud security,

+ms.mktglfcycl: deploy

+ms.sitesec: library

+ms.pagetype: security

+ms.localizationpriority: high

+audience: ITPro

+- m365-security

+- tier1

+search.appverid: met150

+# Microsoft Defender Antivirus pilot ring deployment using Group Policy and Windows Server Update Services

+**Applies to:**

+- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037)

+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)

+- Microsoft Defender Antivirus

+**Platforms**

+- Windows

+- Windows Server

+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-exposedapis-abovefoldlink)

+Microsoft Defender for Endpoint is an enterprise endpoint security platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats.

+> [!TIP]

+> Microsoft Defender for Endpoint is available in two plans, Defender for Endpoint Plan 1 and Plan 2. A new Microsoft Defender Vulnerability Management add-on is now available for Plan 2.

+>

+> For more information on the features and capabilities included in each plan, including the new Defender Vulnerability Management add-on, see [Compare Microsoft Defender for Endpoint plans](defender-endpoint-plan-1-2.md).

+### Resources

+The following resources provide information for using and managing Windows Server Update Services (WSUS).

+- [Deploy Windows Defender definition updates using WSUS - Configuration Manager](/troubleshoot/mem/configmgr/update-management/deploy-definition-updates-using-wsus)

+- [Windows Server Update Services Help](/previous-versions/orphan-topics/ws.11/dn343567(v=ws.11)?redirectedfrom=MSDN)

+## Setting up the pilot environment

+This section provides information about setting up the pilot (UAT/Test/QA) environment using Group Policy and Windows Server Update Services (WSUS).

+> [!NOTE]

+> Security intelligence update (SIU) is equivelant to signature updates, which is the same as definition updates.

+On about 10-500* Windows and/or Windows Server systems, depending on how many total systems that you all have.

+> [!NOTE]

+> If you have a Citrix enviroment, include at least one Citrix VM (non-persistent) and/or (persistent)

+1. Launch the **Windows Server Update Services Configuration Wizard**.

+1. On the **Before You Begin** page, review the preliminary information and attend to any configuration or credential matters, and then select **Next**.

+1. On the **Microsoft Update Improvement Program** page, if you would like to participate in the program, select **Yes, I would like to join the Microsoft Update Improvement Program**. Select **Next**.

+1. On the **Choose Upstream Server** page, select **Synchronize from Microsoft Update** and then select **Next**.

+1. On the **Specify Proxy Server** page, select **Next**.

+1. On the **Choose Languages** page, select **Download updates only in these languages**. Select the update languages that you want to download, and then select **Next**

+1. On the **Choose Products** page, scroll down to **Forefront**, select **Forefront Client Security** and **System Center Endpoint Protection** This is shown in the following figure.

+

+ :::image type="content" source="images/microsoft-defender-antivirus-deploy-ring-group-policy-wsus-choose-products-av.png" alt-text="Screenshot that shows a screen capture of the WSUS configuration wizard Choose Products page." lightbox="images/microsoft-defender-antivirus-deploy-ring-group-policy-wsus-choose-products-av.png":::

+ While still on the **Choose Products** page, scroll down to **Windows** and select **Microsoft Defender Antivirus**.

+1. Select **Next**. On the **Choose Classification** page, select: **critical Updates**, **Definition Updates**, and **Security Updates**, and then select **Next**.

+1. On the **Configure Sync Schedule** page, do the following:

+ | In: | Change: |

+ |:|:|

+ | **Synchronize automatically** | select (enable) |

+ | **First synchronization** | Set time to _5:00:00 AM_ |

+ | **Synchronizations per day** | Set to _1_ |

+1. Select **Next**. On the **Finished** page, select **Next**.

+1. On the **What's next** page, select **Finish**.

+The Windows Server Update Services Configuration Wizard is complete.

+1. Open the **Update Services** snap-in console, and navigate to **YR2K19**. The console is shown in the following figure.

+ :::image type="content" source="images/microsoft-defender-antivirus-deploy-ring-group-policy-wsus-update-service-synch.png" alt-text="Screenshot that shows a screen capture of the Update Services snap-in console with YR2K19 shown." lightbox="images/microsoft-defender-antivirus-deploy-ring-group-policy-wsus-update-service-synch.png":::

+1. When synchronization is complete, you can see how many products and classifications have been added in the last 30 days. Check to ensure the status for **Last synchronization result** indicates _Succeeded_. You may see a warning indicating **"Your WSUS server currently shows that no computers are registered to receive updates"**. This warning is normal at this point of the deployment configuration process.

+#### View update details

+1. In the **Update Services** console, in the navigation tree, go to > **Update Services** > **YR2K19** > **Updates** > **All Updates**.

+1. In the **Actions** column, select **Search**. **Search** opens. In **Text**, type _defender_, and press _ENTER_. The results field under **Update Title** lists updates that include the word **Defender** in the title. For example _Windows Defender_ and _Microsoft Defender Antivirus_ updates for _Platform_, _Engine_, and _Intelligence_. Example results are shown in the next image.

+ See [ Viewing and Managing Updates](/windows-server/administration/windows-server-update-services/manage/viewing-and-managing-updates).

+ :::image type="content" source="images/microsoft-defender-antivirus-deploy-ring-group-policy-wsus-update-service-search-defender.png" alt-text="Screenshot that shows a screen capture of the Update Services for Microsoft Defender Antivirus." lightbox="images/microsoft-defender-antivirus-deploy-ring-group-policy-wsus-update-service-search-defender.png":::

+1. In the **Search** dialog, under **Update Title**, double-click one of the listed KB items. One of two things happens:

+ - If you don't have **Microsoft Report Viewer 2012 Redistributable** installed, the following error message appears:

+

+ :::image type="content" source="images/microsoft-defender-antivirus-deploy-ring-group-policy-wsus-report-viewer-error.png" alt-text="Screenshot that shows a screen capture of an error message indicating the Microsoft Report Viewer 2012 Redistributable isn't installed." lightbox="images/microsoft-defender-antivirus-deploy-ring-group-policy-wsus-report-viewer-error.png":::

+ Follow the link in the error message to install the Microsoft Report Viewer 2012 Redistributable before proceeding to the next numbered step of this procedure.

+ - If **Microsoft Report Viewer 2012 Redistributable** installed, **Update Report for YR2k19** opens, presenting a report with information related to the KB you previously selected. An example report is shown in the following image.

+ :::image type="content" source="images/microsoft-defender-antivirus-deploy-ring-group-policy-wsus-report-viewer-kb-update-info.png" alt-text="Screenshot that shows a screen capture with details about a KB update reported in **Update Report for Yr2k19**." lightbox="images/microsoft-defender-antivirus-deploy-ring-group-policy-wsus-report-viewer-kb-update-info.png":::

+ To learn more about the different Microsoft Defender Antivirus Update channels, see [Manage the gradual rollout process for Microsoft Defender updates](/manage-gradual-rollout)

+#### To find out which Platform Update version is the Current Channel (Broad)

+1. Go to the [Microsoft Update Catalog](https://www.catalog.update.microsoft.com/Search.aspx?q=KB4052623). (_This link automatically loads a search filtered to KB4052623_)

+1. Search for a KB by name. For example, In the search box, type _KB4052623_, and then select **Search**.

+ For example, on April 11, 2023, the latest production version is **4.18.2302.7**, where **23** == _2023_, **02** == _February_, and **.7** is the _minor revision_.

+ :::image type="content" source="images/microsoft-defender-antivirus-deploy-ring-group-policy-wsus-report-viewer-kb-search.png" alt-text="Screenshot that shows a screen capture of the results from a Microsoft Update Catalog search for KB4052623." lightbox="images/microsoft-defender-antivirus-deploy-ring-group-policy-wsus-report-viewer-kb-search.png":::

+#### To determine if updates are synchronized

+1. In the **Update Services** console, go > **Update Services** > **YR2K19** > **Updates** > **All Updates**.

+1. In **Approval**, select **Any Except Declined**, and the select **Refresh**.

+ The **All Updates** view lists ΓÇ£Platform UpdatesΓÇ¥ and ΓÇ£Security Intelligence UpdatesΓÇ¥ (also known as signatures/definitions). For example, KB4052623 platform updates. KB4052623 platform update is shown in the following figure:

+ :::image type="content" source="images/microsoft-defender-antivirus-deploy-ring-group-policy-wsus-report-view-signature-platform-updates.png" alt-text="Screenshot that shows a screen capture of the results from a Microsoft Update Catalog search for KB4052623 platform updates." lightbox="images/microsoft-defender-antivirus-deploy-ring-group-policy-wsus-report-view-signature-platform-updates.png":::

+1. Select **KB4052623** version **4.18.2302.7** to see the synchronization status.

+

+ > [!NOTE]

+ > For the ΓÇ£Security Intelligence UpdatesΓÇ¥, please see [Appendix A](microsoft-defender-antivirus-ring-deployment-group-policy-wsus-appendices.md).

+ > For the ΓÇ£Engine UpdatesΓÇ¥, please see [Appendix B](microsoft-defender-antivirus-ring-deployment-group-policy-wsus-appendices.md).

+ > For the ΓÇ£Platform UpdatesΓÇ¥, please see [Appendix C](microsoft-defender-antivirus-ring-deployment-group-policy-wsus-appendices.md).

+#### Approve and deploy updates in WSUS

+1. In the **Update Services** console, go > **Update Services** > **YR2K19** > **Computers** > **Options**. The **Options** window opens

+1. Select **Automatic Approvals** to launch the **Automatic Approvals** configuration wizard.

+1. In **Automatic Approvals** page, on the **Update Rules** tab, select **OK**.

+1. On the **Add Rule** page, is **Step 1**, select **When an update is in a specific classification** and **When an update is in a specific product**.

+1. In **Choose Products**, scroll to **Forefront**, and then select **Forefront Client Security**. Scroll to **Windows**, and then select **Microsoft Defender Antivirus**, and then select **OK**. The workflow returns you to the **Add Rule** page.

+1. On the **Add Rule** page, in **Step 1: Select Properties**, ensure the following are selected:

+ - **When an update is in a specific classification**

+ - **When an updates is in a specific product**

+ - **Set a deadline for the approval**

+ In **Step 2: Edit the properties**:

+ - In **When an update is in**, ensure **Forefront Client Security, System Center Endpoint Protection, Microsoft Defender Antivirus** are listed.

+ - In **Set a deadline for**, select **The same day as the approval at 5:00 AM**.

+

+ In **Step 3: Specify a name**, type a name for your rule. For example, type _Microsoft Defender Antivirus updates_. These settings are shown in the following figure:

+ :::image type="content" source="images/microsoft-defender-antivirus-deploy-ring-group-policy-wsus-updates-add-rule.png" alt-text="Screenshot that shows a screen capture of the an example name for a rule." lightbox="images/microsoft-defender-antivirus-deploy-ring-group-policy-wsus-updates-add-rule.png":::

+1. Select **OK**. The work flow returns to the **Update Rules** page. Select your new rule, For example, select **Microsoft Defender Antivirus updates**.

+1. In **Rule Properties**, verify the information is correct, and then select **OK**.

+#### Define the order of sources for downloading security intelligence updates

+1. On your Group Policy management computer, open the **Group Policy Management Console**, right-click the _Group Policy Object_ you want to configure and select **Edit**.

+1. In the **Group Policy Management Editor** go to **Computer configuration**, select **Policies**, then select **Administrative templates**.

+1. Expand the tree to **Windows components** > **Windows Defender** > **Signature updates**.

+ - Double-click the **Define the order of sources for downloading security intelligence updates** setting and set the option to **Enabled**.

+ - In **Options**, type _InternalDefinitionUpdateServer_, and then select **OK**. The configured **Define the order of sources for downloading security intelligence updates** page is shown in the following figure.

+ :::image type="content" source="images/microsoft-defender-antivirus-deploy-ring-group-policy-wsus-gp-download-order.png" alt-text="Screenshot that shows a screen capture of how to define the order of sources for downloading security intelligence updates." lightbox="images/microsoft-defender-antivirus-deploy-ring-group-policy-wsus-gp-download-order.png":::

+For more information, see [Manage how and where Microsoft Defender Antivirus receives updates](manage-protection-updates-microsoft-defender-antivirus.md).

+## See also

+[Microsoft Defender Antivirus ring deployment](microsoft-defender-antivirus-ring-deployment.md)

+[Microsoft Defender Antivirus production ring deployment using Group Policy and Windows Server Update Services](microsoft-defender-antivirus-production-ring-deployment-group-policy-wsus.md)

+ Title: Production ring deployment using Group Policy and Windows Server Update Services

+description: Microsoft Defender Antivirus is an enterprise endpoint security platform that helps defend against advanced persistent threats. This article provides information about how to use a ring deployment method to update your Microsoft Defender Antivirus production clients using Group Policy and Windows Server Update Services (WSUS).

+keywords: Deploy Microsoft Defender Antivirus updates, ring deployment Microsoft Defender Antivirus, Microsoft Defender Antivirus Group Policy, Microsoft Defender Antivirus Windows Server Update Services (WSUS), Microsoft Defender Antivirus Group Policy Windows Server Update Services (WSUS), threat intelligence, cybersecurity, cloud security,

+ms.mktglfcycl: deploy

+ms.sitesec: library

+ms.pagetype: security

+ms.localizationpriority: high

+audience: ITPro

+- m365-security

+- tier1

+search.appverid: met150

+# Microsoft Defender Antivirus production ring deployment using Group Policy and Windows Server Update Services

+**Applies to:**

+- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037)

+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)

+- Microsoft Defender Antivirus

+**Platforms**

+- Windows

+- Windows Server

+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-exposedapis-abovefoldlink)

+Microsoft Defender for Endpoint is an enterprise endpoint security platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats.

+> [!TIP]

+> Microsoft Defender for Endpoint is available in two plans, Defender for Endpoint Plan 1 and Plan 2. A new Microsoft Defender Vulnerability Management add-on is now available for Plan 2.

+>

+> For more information on the features and capabilities included in each plan, including the new Defender Vulnerability Management add-on, see [Compare Microsoft Defender for Endpoint plans](defender-endpoint-plan-1-2.md).

+## Before you begin

+This article assumes that you have experience with Windows Server Update Services (WSUS) and/or already have WSUS installed. If you aren't already familiar with WSUS, see the following articles for important configuration details:

+- [Configure WSUS](/windows-server/administration/windows-server-update-services/deploy/2-configure-wsus) - Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012)

+- [Configure Windows Server Update Services (WSUS) in Analytics Platform System][/sql/analytics-platform-system/configure-windows-server-update-services-wsus.md] - Analytics Platform System

+## Setting up the production environment

+This section provides information about setting up the production environment using Group Policy and Windows Server Update Services (WSUS).

+> [!NOTE]

+> Security intelligence update (SIU) is equivelant to signature updates, which is the same as definition updates.

+1. On the left pane of **Server Manager**, select **Dashboard** > **Tools** > **Windows Server Update Services**.

+ > [!NOTE]

+ > If the **Complete WSUS Installation** dialog box appears, select **Run**. In the **Complete WSUS Installation** dialog box, select **Close when the installation successfully finishes**.

+1. The **WSUS Configuration Wizard** opens. On the **Before you Begin** page, review the information, and then select **Next**.

+1. Read the instructions on the **Join the Microsoft Update Improvement Program** page. Keep the default selection if you want to participate in the program, or clear the checkbox if you don't. Then select **Next**.

+1. On the **Choose Upstream Server** page, select **Synchronize from another Windows Server Update Services server**.

+ - In **Server name**, enter the server name. For example, type _YR2K19_.

+ - In **Port number** enter the port on which this server communicates with the upstream server. For example, type _8530_.

+ This is shown in the following figure.

+ :::image type="content" source="images/microsoft-defender-antivirus-deploy-ring-group-policy-wsus-production-update-service-upstream.png" alt-text="Screenshot that shows a screen capture of the Update Services snap-in console, Choose Upstream Server page." lightbox="images/microsoft-defender-antivirus-deploy-ring-group-policy-wsus-production-update-service-upstream.png":::

+1. Select **Next**.

+ An autonomous downstream server, like a replica server, also uses another WSUS server as its master repository, but allows for individual approvals for updates different from approvals of the master. The autonomous server:

+ - Allows flexibility in creating computer groups

+ - Doesn't have to be in the same Active Directory forest as the master

+1. (Optional, depending on configuration) On the **Specify Proxy Server** page, select the **Use a proxy server when synchronizing** checkbox. Then enter the proxy server name and port number (port 80 by default) in the corresponding boxes.

+ > [!IMPORTANT]

+ > You must complete this step if you identified that WSUS needs a proxy server to have internet access.

+ - If you want to connect to the proxy server by using specific user credentials, select the **Use user credentials to connect to the proxy server** checkbox. Then enter the user name, domain, and password of the user in the corresponding boxes.

+ - If you want to enable basic authentication for the user who is connecting to the proxy server, select the **Allow basic authentication (password is sent in cleartext)** checkbox.

+ Select **Next**.

+1. On the **Connect to Upstream Server** page, select **start Connecting**. When WSUS connects to the server, select **Next**.

+1. On the **Choose Languages** page, you can select the languages from which WSUS receives updates: **all languages** or a **subset of languages**. Selecting a subset of languages saves disk space, but it's important to choose all the languages that all the clients need on this WSUS server.

+ If you choose to get updates only for specific languages, select **Download updates only in these languages**, and then select the languages for which you want updates. Otherwise, leave the default selection.

+ > [!WARNING]

+ > If you select the option **Download updates only in these languages**, and the server has a downstream WSUS server connected to it, selecting this option will force the downstream server to also use only the selected languages.

+ After you select the language options for your deployment, select **Next**.

+1. The **Set Sync Schedule** page opens. (The **Choose Products** and **Choose Classifications** pages are grayed out and can't be configured).

+ - Select **Synchronize automatically**, the WSUS server synchronizes at set intervals.

+ - In **First synchronization** specify a time for the first synchronization. For example, select _5:00:00 PM._

+ - In **Synchronizations per day**, specify the number of times you want synchronizations to occur. For example, select _1_, and then select **Next**.

+1. On the **Finished** page, select **Next**.

+1. On the **What's next** page, select **Next** to finish.

+#### Define the order of sources for downloading security intelligence updates

+1. On your Group Policy management computer, open the **Group Policy Management Console**, right-click the _Group Policy Object_ you want to configure and select **Edit**.

+1. In the **Group Policy Management Editor** go to **Computer configuration**, select **Policies**, then select **Administrative templates**.

+1. Expand the tree to **Windows components** > **Windows Defender** > **Signature updates**.

+ - Double-click the **Define the order of sources for downloading security intelligence updates** setting and set the option to **Enabled**.

+ - In **Options**, type _InternalDefinitionUpdateServer_, and then select **OK**. The configured **Define the order of sources for downloading security intelligence updates** page is shown in the following figure.

+ :::image type="content" source="images/microsoft-defender-antivirus-deploy-ring-group-policy-wsus-gp-download-order.png" alt-text="Screenshot that shows a screen capture of the results from a Microsoft Update Catalog search for KB4052623." lightbox="images/microsoft-defender-antivirus-deploy-ring-group-policy-wsus-gp-download-order.png":::

+1. In **Define the order of sources for downloading security intelligence updates**, select **Enabled**. In **Options**, enter the order of sources for downloading security intelligence updates. For example, type _InternalDefinitionUpdateServer_.

+ ## If you encounter problems

+If you encounter problems with your deployment, create or append your Microsoft Defender Antivirus policy:

+1. In [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn265969(v=ws.11)) (GPMC, GPMC.msc), create or append to your Microsoft Defender Antivirus policy using the following setting:

+

+ Go to **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > (administrator-defined) _PolicySettingName_. For example, _MDAV\_Settings\_Production_, right-click, and then select **Edit**. **Edit** for **MDAV\_Settings\_Production** is shown in the following figure:

+ :::image type="content" source="images/microsoft-defender-antivirus-deploy-ring-group-policy-wsus-gp-policy-edit.png" alt-text="Screenshot that shows a screen capture of the administrator-defined Microsoft Defender Antivirus policy Edit option." lightbox="images/microsoft-defender-antivirus-deploy-ring-group-policy-wsus-gp-policy-edit.png":::

+1. Select **Define the order of sources for downloading security intelligence updates**.

+1. Select the radio button named **Enabled**.

+1. Under **Options**, change the entry to _FileShares_, select **Apply**, and then select **OK**. This change is shown in the following figure:

+ :::image type="content" source="images/microsoft-defender-antivirus-deploy-ring-group-policy-wsus-gp-policy-define-order.png" alt-text="Screenshot that shows a screen capture of the Define the order of sources for downloading security intelligence updates page." lightbox="images/microsoft-defender-antivirus-deploy-ring-group-policy-wsus-gp-policy-define-order.png":::

+1. Select **Define the order of sources for downloading security intelligence updates**.

+1. Select the radio button named **Disabled**, select **Apply**, and then select **OK**. The disabled option is shown in the following figure:

+ :::image type="content" source="images/microsoft-defender-antivirus-deploy-ring-group-policy-wsus-gp-policy-disabled.png" alt-text="Screenshot that shows a screen capture of the Define the order of sources for downloading security intelligence updates page with Security Intelligence updates disabled." lightbox="images/microsoft-defender-antivirus-deploy-ring-group-policy-wsus-gp-policy-disabled.png":::

+1. The change is active when Group Policy updates. There are two methods to refresh Group Policy:

+ - From the command line, run the Group Policy update command. For example, run `gpupdate / force`. For more information, see [gpupdate](/windows-server/administration/windows-commands/gpupdate)

+ - Wait for Group Policy to automatically refresh. Group Policy refreshes every 90 minutes +/- 30 minutes.

+ If you have multiple forests/domains, force replication or wait 10-15 minutes. Then force a Group Policy Update from the Group Policy Management Console.

+ - Right-click on an organizational unit (OU) that contains the machines (for example, Desktops), select **Group Policy Update**. This UI command is the equivalent of doing a gpupdate.exe /force on every machine in that OU. The feature to force Group Policy to refresh is shown in the following figure:

+ :::image type="content" source="images/microsoft-defender-antivirus-deploy-ring-group-policy-wsus-gp-management-console.png" alt-text="Screenshot that shows a screen capture of the Group Policy Management console, initiating a forced update." lightbox="images/microsoft-defender-antivirus-deploy-ring-group-policy-wsus-gp-management-console.png":::

+1. After the issue is resolved, set the **Signature Update Fallback Order** back to the original setting. `InternalDefinitionUpdateServder|MicrosoftUpdateServer|MMPC|FileShare`.

+ See also:

+ - [Step 3: Configure WSUS | Microsoft Learn](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh852346(v=ws.11)?redirectedfrom=MSDN#31-configure-network-connections)

+ - [Step 4: Approve and Deploy WSUS Updates | Microsoft Learn](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh852348(v=ws.11)?redirectedfrom=MSDN)

+ - [Step 5: Configure Group Policy Settings for Automatic Updates | Microsoft Learn](/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn595129(v=ws.11))

+ - [Microsoft Defender Antivirus pilot ring deployment using Group Policy and Windows Server Update Services](microsoft-defender-antivirus-pilot-ring-deployment-group-policy-wsus.md)

+ Title: Production ring deployment using Group Policy and Microsoft Update (MU)

+description: Microsoft Defender Antivirus is an enterprise endpoint security platform that helps defend against advanced persistent threats. This article provides information about how to use a ring deployment method to update your Microsoft Defender Antivirus clients using Group Policy and Microsoft Update (MU).

+keywords: Deploy Microsoft Defender Antivirus updates, ring deployment Microsoft Defender Antivirus, Microsoft Defender Antivirus Group Policy, Microsoft Defender Antivirus Microsoft Update (MU), Microsoft Defender Antivirus Group Policy and Microsoft Update, threat intelligence, cybersecurity, cloud security,

+ms.mktglfcycl: deploy

+ms.sitesec: library

+ms.pagetype: security

+ms.localizationpriority: high

+audience: ITPro

+- m365-security

+- tier1

+search.appverid: met150

+# Microsoft Defender Antivirus production ring deployment using Group Policy and Microsoft Updates

+**Applies to:**

+- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037)

+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)

+- Microsoft Defender Antivirus

+**Platforms**

+- Windows

+- Windows Server

+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-exposedapis-abovefoldlink)

+Microsoft Defender for Endpoint is an enterprise endpoint security platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats.

+> [!TIP]

+> Microsoft Defender for Endpoint is available in two plans, Defender for Endpoint Plan 1 and Plan 2. A new Microsoft Defender Vulnerability Management add-on is now available for Plan 2.

+>

+> For more information on the features and capabilities included in each plan, including the new Defender Vulnerability Management add-on, see [Compare Microsoft Defender for Endpoint plans](defender-endpoint-plan-1-2.md).

+## Prerequisites

+Review the _read me_ article at [Readme](https://github.com/microsoft/defender-updatecontrols/blob/main/README.md)

+https://github.com/microsoft/defender-updatecontrols/blob/main/README.md

+Download the latest Windows Defender .admx and .adml

+- [WindowsDefender.admx](https://github.com/microsoft/defender-updatecontrols/blob/main/WindowsDefender.admx)

+- [WindowsDefender.adml](https://github.com/microsoft/defender-updatecontrols/blob/main/WindowsDefender.adml)

+2) Copy the latest .admx and .adml to the Domain Controller [Central Store](/troubleshoot/windows-client/group-policy/create-and-manage-central-store#the-central-store).

+## Setting up the Pilot (UAT/Test/QA) environment

+This section describes the process for setting up the pilot UAT / Test / QA environment.

+> [!NOTE]

+> Security intelligence update (SIU) is equivelant to signature updates, which is the same as definition updates.

+ On about 10-500 Windows and/or Windows Server systems, depending on how many total systems that you all have, perform the following tasks.

+

+ > [!NOTE]

+ > If you have a Citrix enviroment, include at least 1 Citrix VM (non-persistent) and/or (persistent)

+In [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn265969(v=ws.11)) (GPMC, GPMC.msc), create or append to your Microsoft Defender Antivirus policy.

+1. Edit your Microsoft Defender Antivirus policy. For example, edit _MDAV\_Settings\_Pilot_. Go to **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus**. There are three related options:

+ | Feature | Recommendation for the pilot systems |

+ |:|:|

+ | Select the channel for Microsoft Defender daily **Security Intelligence updates** | Current Channel (Staged) |

+ | Select the channel for Microsoft Defender monthly **Engine updates** | Beta Channel |

+ | Select the channel for Microsoft Defender monthly **Platform updates** | Beta Channel |

+ The three options are shown in the following figure.

+ :::image type="content" source="images/microsoft-defender-antivirus-deploy-ring-gp-microsoft-defender-antivirus-channels.png" alt-text="Screenshot that shows a screen capture of the pilot Computer Configuration > Policies > Administrative Templates > Windows Components > Microsoft Defender Antivirus update channels." lightbox="images/microsoft-defender-antivirus-deploy-ring-gp-microsoft-defender-antivirus-channels.png":::

+ For more information, see [Manage the gradual rollout process for Microsoft Defender updates](/manage-gradual-rollout)

+1. Go to **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus**.

+1. For _intelligence_ updates, double-click **Select the channel for Microsoft Defender monthly intelligence updates**.

+ :::image type="content" source="images/microsoft-defender-antivirus-deploy-ring-gp-microsoft-defender-antivirus-channel-staged.png" alt-text="Screenshot that shows a screen capture of the Select the channel for Microsoft Defender monthly intelligence updates page with Enabled and Current Channel (Staged) selected." lightbox="images/microsoft-defender-antivirus-deploy-ring-gp-microsoft-defender-antivirus-channel-staged.png":::

+1. On the **Select the channel for Microsoft Defender monthly intelligence updates** page, select **Enabled**, and in **Options**, select **Current Channel (Staged)**.

+1. Select **Apply**, and then select **OK**.

+1. Go to **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus**.

+1. For _engine_ updates, double-click **Select the channel for Microsoft Defender monthly engine updates**.

+1. On the **Select the channel for Microsoft Defender monthly Platform updates** page, select **Enabled**, and in **Options**, select **Beta Channel**.

+1. Select **Apply**, and then select **OK**.

+1. For _platform_ updates, double-click **Select the channel for Microsoft Defender monthly Platform updates**.

+1. On the **Select the channel for Microsoft Defender monthly Platform updates** page, select **Enabled**, and in **Options**, select **Beta Channel**. These two settings are shown in the following figure:

+1. Select **Apply**, and then select **OK**.

+### Related articles

+- [Antivirus profiles - Devices managed by Microsoft Intune](/mem/intune/protect/endpoint-security-antivirus-policy#antivirus-profiles)

+- [Use Endpoint security Antivirus policy to manage Microsoft Defender update behavior (Preview)](/mem/intune/fundamentals/whats-new#use-endpoint-security-antivirus-policy-to-manage-microsoft-defender-update-behavior-preview)

+- [Manage the gradual rollout process for Microsoft Defender updates](manage-gradual-rollout.md#manage-the-gradual-rollout-process-for-microsoft-defender-updates)

+## Setting up the production environment

+1. In [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn265969(v=ws.11)) (GPMC, GPMC.msc), go to **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus**.

+ :::image type="content" source="images/microsoft-defender-antivirus-deploy-ring-gp-microsoft-defender-antivirus-channels.png" alt-text="Screenshot that shows a screen capture of the production Computer Configuration > Policies > Administrative Templates > Windows Components > Microsoft Defender Antivirus update channels." lightbox="images/microsoft-defender-antivirus-deploy-ring-gp-microsoft-defender-antivirus-channels.png":::

+1. Set the three policies as follows:

+ | Feature | Recommendation for the production systems | Remarks |

+ |:|:|

+ | Select the channel for Microsoft Defender daily **Security Intelligence updates** | Current Channel (Broad) | This setting provides you with 3 hours of time to find an FP and prevent the production systems from getting an incompatible signature update. |

+ | Select the channel for Microsoft Defender monthly **Engine updates** | Critical ΓÇô Time delay | Updates are delayed by two days. |

+ | Select the channel for Microsoft Defender monthly **Platform updates** | Critical ΓÇô Time delay | Updates are delayed by two days. |

+1. For _intelligence_ updates, double-click **Select the channel for Microsoft Defender monthly intelligence updates**.

+1. On the **Select the channel for Microsoft Defender monthly intelligence updates** page, select **Enabled**, and in **Options**, select **Current Channel (Broad)**.

+ :::image type="content" source="images/microsoft-defender-antivirus-deploy-ring-gp-microsoft-defender-antivirus-channel-staged.png" alt-text="Screenshot that shows a screen capture of the Select the channel for Microsoft Defender monthly intelligence updates page with Enabled and Current Channel (Staged) selected." lightbox="images/microsoft-defender-antivirus-deploy-ring-gp-microsoft-defender-antivirus-channel-staged.png":::

+1. Select **Apply**, and then select **OK**.

+1. For _engine_ updates, double-click **Select the channel for Microsoft Defender monthly engine updates**.

+1. On the **Select the channel for Microsoft Defender monthly Platform updates** page, select **Enabled**, and in **Options**, select **Critical ΓÇô Time delay**.

+1. Select **Apply**, and then select **OK**.

+1. For _platform_ updates, double-click **Select the channel for Microsoft Defender monthly Platform updates**.

+1. On the **Select the channel for Microsoft Defender monthly Platform updates** page, select **Enabled**, and in **Options**, select **Critical ΓÇô Time delay**.

+1. Select **Apply**, and then select **OK**.

+## If you encounter problems

+If you encounter problems with your deployment, create or append your Microsoft Defender Antivirus policy:

+1. In [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn265969(v=ws.11)) (GPMC, GPMC.msc), create or append to your Microsoft Defender Antivirus policy using the following setting:

+

+ Go to **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > (administrator-defined) _PolicySettingName_. For example, _MDAV\_Settings\_Production_, right-click, and then select **Edit**. **Edit** for **MDAV\_Settings\_Production** is shown in the following figure:

+ :::image type="content" source="images/microsoft-defender-antivirus-deploy-ring-group-policy-wsus-gp-policy-edit.png" alt-text="Screenshot that shows a screen capture of the administrator-defined Microsoft Defender Antivirus policy Edit option." lightbox="images/microsoft-defender-antivirus-deploy-ring-group-policy-wsus-gp-policy-edit.png":::

+1. Select **Define the order of sources for downloading security intelligence updates**.

+1. Select the radio button named **Enabled**.

+1. Under **Options:**, change the entry to _FileShares_, select **Apply**, and then select **OK**. This change is shown in the following figure:

+ :::image type="content" source="images/microsoft-defender-antivirus-deploy-ring-group-policy-wsus-gp-policy-define-order.png" alt-text="Screenshot that shows a screen capture of the Define the order of sources for downloading security intelligence updates page." lightbox="images/microsoft-defender-antivirus-deploy-ring-group-policy-wsus-gp-policy-define-order.png":::

+1. Select **Define the order of sources for downloading security intelligence updates**.

+1. Select the radio button named **Disabled**, select **Apply**, and then select **OK**. The disabled option is shown in the following figure:

+ :::image type="content" source="images/microsoft-defender-antivirus-deploy-ring-group-policy-wsus-gp-policy-disabled.png" alt-text="Screenshot that shows a screen capture of the Define the order of sources for downloading security intelligence updates page with Security Intelligence updates disabled." lightbox="images/microsoft-defender-antivirus-deploy-ring-group-policy-wsus-gp-policy-disabled.png":::

+1. The change is active when Group Policy updates. There are two methods to refresh Group Policy:

+ - From the command line, run the Group Policy update command. For example, run `gpupdate / force`. For more information, see [gpupdate](/windows-server/administration/windows-commands/gpupdate.md)

+ - Wait for Group Policy to automatically refresh. Group Policy refreshes every 90 minutes +/- 30 minutes.

+ If you have multiple forests/domains, force replication or wait 10-15 minutes. Then force a Group Policy Update from the Group Policy Management Console.

+ - Right-click on an organizational unit (OU) that contains the machines (for example, Desktops), select **Group Policy Update**. This UI command is the equivalent of doing a gpupdate.exe /force on every machine in that OU. The feature to force Group Policy to refresh is shown in the following figure:

+ :::image type="content" source="images/microsoft-defender-antivirus-deploy-ring-group-policy-wsus-gp-management-console.png" alt-text="Screenshot that shows a screen capture of the Group Policy Management console, initiating a forced update." lightbox="images/microsoft-defender-antivirus-deploy-ring-group-policy-wsus-gp-management-console.png":::

+1. After the issue is resolved, set the **Signature Update Fallback Order** back to the original setting. `InternalDefinitionUpdateServder|MicrosoftUpdateServer|MMPC|FileShare`.

+## See also

+- [Antivirus profiles - Devices managed by Microsoft Intune](/mem/intune/protect/endpoint-security-antivirus-policy#antivirus-profiles)

+- [Use Endpoint security Antivirus policy to manage Microsoft Defender update behavior (Preview)](/mem/intune/fundamentals/whats-new#use-endpoint-security-antivirus-policy-to-manage-microsoft-defender-update-behavior-preview)

+- [Manage the gradual rollout process for Microsoft Defender updates](manage-gradual-rollout.md#manage-the-gradual-rollout-process-for-microsoft-defender-updates)

+- [Microsoft Defender Antivirus ring deployment overview](microsoft-defender-antivirus-ring-deployment.md#ring-deployment-overview)

+ Title: Production ring deployment using Group Policy and network share

+description: Microsoft Defender Antivirus is an enterprise endpoint security platform that helps defend against advanced persistent threats. This article provides information about how to use a ring deployment method to update your Microsoft Defender Antivirus clients using Group Policy over a network share.

+keywords: Deploy Microsoft Defender Antivirus updates, ring deployment Microsoft Defender Antivirus, Microsoft Defender Antivirus Group Policy, Microsoft Defender Antivirus network share, Microsoft Defender Antivirus Group Policy network share, threat intelligence, cybersecurity, cloud security,

+ms.mktglfcycl: deploy

+ms.sitesec: library

+ms.pagetype: security

+ms.localizationpriority: high

+audience: ITPro

+- m365-security

+- tier1

+search.appverid: met150

+# Microsoft Defender Antivirus production ring deployment using Group Policy and network share

+**Applies to:**

+- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037)

+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)

+- Microsoft Defender Antivirus

+**Platforms**

+- Windows

+- Windows Server

+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-exposedapis-abovefoldlink)

+Microsoft Defender for Endpoint is an enterprise endpoint security platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats.

+> [!TIP]

+> Microsoft Defender for Endpoint is available in two plans, Defender for Endpoint Plan 1 and Plan 2. A new Microsoft Defender Vulnerability Management add-on is now available for Plan 2.

+>

+> For more information on the features and capabilities included in each plan, including the new Defender Vulnerability Management add-on, see [Compare Microsoft Defender for Endpoint plans](defender-endpoint-plan-1-2.md).

+## Introduction

+This article describes how to deploy Microsoft Defender Antivirus in rings using Group Policy and Network share (also known as UNC path, SMB, CIFS).

+## Prerequisites

+Review the _read me_ article at [Readme](https://github.com/microsoft/defender-updatecontrols/blob/main/README.md)

+https://github.com/microsoft/defender-updatecontrols/blob/main/README.md

+1. Download the latest Windows Defender .admx and .adml

+ - [WindowsDefender.admx](https://github.com/microsoft/defender-updatecontrols/blob/main/WindowsDefender.admx)

+ - [WindowsDefender.adml](https://github.com/microsoft/defender-updatecontrols/blob/main/WindowsDefender.adml)

+1. Copy the latest .admx and .adml to the [Domain Controller Central Store](/troubleshoot/windows-client/group-policy/create-and-manage-central-store#the-central-store).

+1. [Create a UNC share for security intelligence and platform updates](manage-protection-updates-microsoft-defender-antivirus.md#create-a-unc-share-for-security-intelligence-and-platform-updates)

+## Setting up the pilot environment

+This section describes the process for setting up the pilot UAT / Test / QA environment. On about 10-500* Windows and/or Windows Server systems, depending on how many total systems that you all have.

+> [!NOTE]

+> Security intelligence update (SIU) is equivelant to signature updates, which is the same as definition updates.

+### Create a UNC share for security intelligence and platform updates

+Set up a network file share (UNC/mapped drive) to download security intelligence and platform updates from the MMPC site by using a scheduled task.

+1. On the system on which you want to provision the share and download the updates, create a folder to which you will save the script.

+ ```console

+ Start, CMD (Run as admin)

+ MD C:\Tool\PS-Scripts\

+ ```

+2. Create the folder to which you will save the signature updates.

+ ```console

+ MD C:\Temp\TempSigs\x64

+ MD C:\Temp\TempSigs\x86

+ ```

+3. Setup a PowerShell script, `CopySignatures.ps1`

+ Copy-Item -Path ΓÇ£\\SourceServer\SourcefolderΓÇ¥ -Destination ΓÇ£\\TargetServer\TargetfolderΓÇ¥

+4. Use the command line to set up the scheduled task.

+ > [!NOTE]

+ > There are two types of updates: full and delta.

+ - For x64 delta:

+ ```powershell

+ Powershell (Run as admin)

+ C:\Tool\PS-Scripts\

+ ".\SignatureDownloadCustomTask.ps1 -action create -arch x64 -isDelta $true -destDir C:\Temp\TempSigs\x64 -scriptPath C:\Tool\PS-Scripts\SignatureDownloadCustomTask.ps1 -daysInterval 1"

+ ```

+ - For x64 full:

+ ```powershell

+ Powershell (Run as admin)

+ C:\Tool\PS-Scripts\

+ ".\SignatureDownloadCustomTask.ps1 -action create -arch x64 -isDelta $false -destDir C:\Temp\TempSigs\x64 -scriptPath C:\Tool\PS-Scripts\SignatureDownloadCustomTask.ps1 -daysInterval 1"

+ ```

+ - For x86 delta:

+ ```powershell

+ Powershell (Run as admin)

+ C:\Tool\PS-Scripts\

+ ".\SignatureDownloadCustomTask.ps1 -action create -arch x86 -isDelta $true -destDir C:\Temp\TempSigs\x86 -scriptPath C:\Tool\PS-Scripts\SignatureDownloadCustomTask.ps1 -daysInterval 1"

+ ```

+ - For x86 full:

+ ```powershell

+ Powershell (Run as admin)

+ C:\Tool\PS-Scripts\

+ ".\SignatureDownloadCustomTask.ps1 -action create -arch x86 -isDelta $false -destDir C:\Temp\TempSigs\x86 -scriptPath C:\Tool\PS-Scripts\SignatureDownloadCustomTask.ps1 -daysInterval 1"

+ ```

+ > [!NOTE]

+ > When the scheduled tasks are created, you can find these in the Task Scheduler under `Microsoft\Windows\Windows Defender`.

+5. Run each task manually and verify that you have data (`mpam-d.exe`, `mpam-fe.exe`, and `nis_full.exe`) in the following folders (you might have chosen different locations):

+ - `C:\Temp\TempSigs\x86`

+ - `C:\Temp\TempSigs\x64`

+ If the scheduled task fails, run the following commands:

+ ```console

+ C:\windows\system32\windowspowershell\v1.0\powershell.exe -NoProfile -executionpolicy allsigned -command "&\"C:\Tool\PS-Scripts\SignatureDownloadCustomTask.ps1\" -action run -arch x64 -isDelta $False -destDir C:\Temp\TempSigs\x64"

+ C:\windows\system32\windowspowershell\v1.0\powershell.exe -NoProfile -executionpolicy allsigned -command "&\"C:\Tool\PS-Scripts\SignatureDownloadCustomTask.ps1\" -action run -arch x64 -isDelta $True -destDir C:\Temp\TempSigs\x64"

+ C:\windows\system32\windowspowershell\v1.0\powershell.exe -NoProfile -executionpolicy allsigned -command "&\"C:\Tool\PS-Scripts\SignatureDownloadCustomTask.ps1\" -action run -arch x86 -isDelta $False -destDir C:\Temp\TempSigs\x86"

+ C:\windows\system32\windowspowershell\v1.0\powershell.exe -NoProfile -executionpolicy allsigned -command "&\"C:\Tool\PS-Scripts\SignatureDownloadCustomTask.ps1\" -action run -arch x86 -isDelta $True -destDir C:\Temp\TempSigs\x86"

+ ```

+ > [!NOTE]

+ > Issues could also be due to execution policy.

+6. Create a share pointing to `C:\Temp\TempSigs` (e.g., `\\server\updates`).

+ > [!NOTE]

+ > At a minimum, authenticated users must have "Read" access. This requirement also applies to domain computers, the share, and NTFS (security).

+7. Set the share location in the policy to the share.

+ > [!NOTE]

+ > Do not add the x64 (or x86) folder in the path. The mpcmdrun.exe process adds it automatically.

+## Setting up the Pilot (UAT/Test/QA) environment

+This section describes the process for setting up the pilot UAT / Test / QA environment, on about 10-500 Windows and/or Windows Server systems, depending on how many total systems that you all have.

+> [!NOTE]

+> If you have a Citrix enviroment, include at least 1 Citrix VM (non-persistent) and/or (persistent)

+In [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn265969(v=ws.11)) (GPMC, GPMC.msc), create or append to your Microsoft Defender Antivirus policy.

+1. Edit your Microsoft Defender Antivirus policy. For example, edit _MDAV\_Settings\_Pilot_. Go to **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus**. There are three related options:

+ | Feature | Recommendation for the pilot systems |

+ |:|:|

+ | Select the channel for Microsoft Defender daily **Security Intelligence updates** | Current Channel (Staged) |

+ | Select the channel for Microsoft Defender monthly **Engine updates** | Beta Channel |

+ | Select the channel for Microsoft Defender monthly **Platform updates** | Beta Channel |

+ The three options are shown in the following figure.

+ :::image type="content" source="images/microsoft-defender-antivirus-deploy-ring-gp-microsoft-defender-antivirus-channels.png" alt-text="Screenshot that shows a screen capture of the pilot Computer Configuration > Policies > Administrative Templates > Windows Components > Microsoft Defender Antivirus update channels." lightbox="images/microsoft-defender-antivirus-deploy-ring-gp-microsoft-defender-antivirus-channels.png":::

+ For more information, see [Manage the gradual rollout process for Microsoft Defender updates](/manage-gradual-rollout)

+1. Go to **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus**.

+1. For _intelligence_ updates, double-click **Select the channel for Microsoft Defender monthly intelligence updates**.

+ :::image type="content" source="images/microsoft-defender-antivirus-deploy-ring-gp-microsoft-defender-antivirus-channel-staged.png" alt-text="Screenshot that shows a screen capture of the Select the channel for Microsoft Defender monthly intelligence updates page with Enabled and Current Channel (Staged) selected." lightbox="images/microsoft-defender-antivirus-deploy-ring-gp-microsoft-defender-antivirus-channel-staged.png":::

+1. On the **Select the channel for Microsoft Defender monthly intelligence updates** page, select **Enabled**, and in **Options**, select **Current Channel (Staged)**.

+1. Select **Apply**, and then select **OK**.

+1. Go to **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus**.

+1. For _engine_ updates, double-click **Select the channel for Microsoft Defender monthly engine updates**.

+1. On the **Select the channel for Microsoft Defender monthly Platform updates** page, select **Enabled**, and in **Options**, select **Beta Channel**.

+1. Select **Apply**, and then select **OK**.

+1. For _platform_ updates, double-click **Select the channel for Microsoft Defender monthly Platform updates**.

+1. On the **Select the channel for Microsoft Defender monthly Platform updates** page, select **Enabled**, and in **Options**, select **Beta Channel**. These two settings are shown in the following figure:

+1. Select **Apply**, and then select **OK**.

+### Related articles

+- [Antivirus profiles - Devices managed by Microsoft Intune](/mem/intune/protect/endpoint-security-antivirus-policy#antivirus-profiles)

+- [Use Endpoint security Antivirus policy to manage Microsoft Defender update behavior (Preview)](/mem/intune/fundamentals/whats-new#use-endpoint-security-antivirus-policy-to-manage-microsoft-defender-update-behavior-preview)

+- [Manage the gradual rollout process for Microsoft Defender updates](/manage-gradual-rollout)

+## Setting up the production environment

+1. In [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn265969(v=ws.11)) (GPMC, GPMC.msc), go to **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus**.

+ :::image type="content" source="images/microsoft-defender-antivirus-deploy-ring-gp-microsoft-defender-antivirus-channels.png" alt-text="Screenshot that shows a screen capture of the production Computer Configuration > Policies > Administrative Templates > Windows Components > Microsoft Defender Antivirus update channels." lightbox="images/microsoft-defender-antivirus-deploy-ring-gp-microsoft-defender-antivirus-channels.png":::

+1. Set the three policies as follows:

+ | Feature | Recommendation for the production systems | Remarks |

+ |:|:|

+ | Select the channel for Microsoft Defender daily **Security Intelligence updates** | Current Channel (Broad) | This setting provides you with 3 hours of time to find an FP and prevent the production systems from getting an incompatible signature update. |

+ | Select the channel for Microsoft Defender monthly **Engine updates** | Critical ΓÇô Time delay | Updates are delayed by two days. |

+ | Select the channel for Microsoft Defender monthly **Platform updates** | Critical ΓÇô Time delay | Updates are delayed by two days. |

+1. For _intelligence_ updates, double-click **Select the channel for Microsoft Defender monthly intelligence updates**.

+1. On the **Select the channel for Microsoft Defender monthly intelligence updates** page, select **Enabled**, and in **Options**, select **Current Channel (Broad)**.

+ :::image type="content" source="images/microsoft-defender-antivirus-deploy-ring-gp-microsoft-defender-antivirus-channel-staged.png" alt-text="Screenshot that shows a screen capture of the Select the channel for Microsoft Defender monthly intelligence updates page with Enabled and Current Channel (Staged) selected." lightbox="images/microsoft-defender-antivirus-deploy-ring-gp-microsoft-defender-antivirus-channel-staged.png":::

+1. Select **Apply**, and then select **OK**.

+1. For _engine_ updates, double-click **Select the channel for Microsoft Defender monthly engine updates**.

+1. On the **Select the channel for Microsoft Defender monthly Platform updates** page, select **Enabled**, and in **Options**, select **Critical ΓÇô Time delay**.

+1. Select **Apply**, and then select **OK**.

+1. For _platform_ updates, double-click **Select the channel for Microsoft Defender monthly Platform updates**.

+1. On the **Select the channel for Microsoft Defender monthly Platform updates** page, select **Enabled**, and in **Options**, select **Critical ΓÇô Time delay**.

+1. Select **Apply**, and then select **OK**.

+## If you encounter problems

+If you encounter problems with your deployment, create or append your Microsoft Defender Antivirus policy:

+1. In [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn265969(v=ws.11)) (GPMC, GPMC.msc), create or append to your Microsoft Defender Antivirus policy using the following setting:

+

+ Go to **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > (administrator-defined) _PolicySettingName_. For example, _MDAV\_Settings\_Production_, right-click, and then select **Edit**. **Edit** for **MDAV\_Settings\_Production** is shown in the following figure:

+ :::image type="content" source="images/microsoft-defender-antivirus-deploy-ring-group-policy-wsus-gp-policy-edit.png" alt-text="Screenshot that shows a screen capture of the administrator-defined Microsoft Defender Antivirus policy Edit option." lightbox="images/microsoft-defender-antivirus-deploy-ring-group-policy-wsus-gp-policy-edit.png":::

+1. Select **Define the order of sources for downloading security intelligence updates**.

+1. Select the radio button named **Enabled**.

+1. Under **Options:**, change the entry to _FileShares_, select **Apply**, and then select **OK**. This change is shown in the following figure:

+ :::image type="content" source="images/microsoft-defender-antivirus-deploy-ring-group-policy-wsus-gp-policy-define-order.png" alt-text="Screenshot that shows a screen capture of the Define the order of sources for downloading security intelligence updates page." lightbox="images/microsoft-defender-antivirus-deploy-ring-group-policy-wsus-gp-policy-define-order.png":::

+1. Select **Define the order of sources for downloading security intelligence updates**.

+1. Select the radio button named **Disabled**, select **Apply**, and then select **OK**. The disabled option is shown in the following figure:

+ :::image type="content" source="images/microsoft-defender-antivirus-deploy-ring-group-policy-wsus-gp-policy-disabled.png" alt-text="Screenshot that shows a screen capture of the Define the order of sources for downloading security intelligence updates page with Security Intelligence updates disabled." lightbox="images/microsoft-defender-antivirus-deploy-ring-group-policy-wsus-gp-policy-disabled.png":::

+1. The change is active when Group Policy updates. There are two methods to refresh Group Policy:

+ - From the command line, run the Group Policy update command. For example, run `gpupdate / force`. For more information, see [gpupdate](/windows-server/administration/windows-commands/gpupdate)

+ - Wait for Group Policy to automatically refresh. Group Policy refreshes every 90 minutes +/- 30 minutes.

+ If you have multiple forests/domains, force replication or wait 10-15 minutes. Then force a Group Policy Update from the Group Policy Management Console.

+ - Right-click on an organizational unit (OU) that contains the machines (for example, Desktops), select **Group Policy Update**. This UI command is the equivalent of doing a gpupdate.exe /force on every machine in that OU. The feature to force Group Policy to refresh is shown in the following figure:

+ :::image type="content" source="images/microsoft-defender-antivirus-deploy-ring-group-policy-wsus-gp-management-console.png" alt-text="Screenshot that shows a screen capture of the Group Policy Management console, initiating a forced update." lightbox="images/microsoft-defender-antivirus-deploy-ring-group-policy-wsus-gp-management-console.png":::

+1. After the issue is resolved, set the **Signature Update Fallback Order** back to the original setting. `InternalDefinitionUpdateServder|MicrosoftUpdateServer|MMPC|FileShare`.

+## See also

+[Microsoft Defender Antivirus ring deployment overview](microsoft-defender-antivirus-ring-deployment.md)

+ Title: Appendices for ring deployment using Group Policy and Windows Server Update Services (WSUS)

+description: Microsoft Defender for Endpoint is an enterprise endpoint security platform that helps defend against advanced persistent threats. This article provides supplemental information to the Microsoft Defender Antiviurs Gropu Policy WSUS ring deployment guide.

+keywords: deploy Microsoft Defender Antivirus updates, ring deployment Microsoft Defender Antivirus, Microsoft Defender Antivirus Intune Microsoft Defender Antivirus Microsoft Update, Microsoft Defender Antivirus Intune MU, threat intelligence, cybersecurity, cloud security,

+ms.mktglfcycl: deploy

+ms.sitesec: library

+ms.pagetype: security

+ms.localizationpriority: high

+audience: ITPro

+- m365-security

+- tier1

+search.appverid: met150

+# Appendices for Microsoft Defender Antivirus ring deployment using Group Policy and Windows Server Update Services (WSUS)

+**Applies to:**

+- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037)

+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)

+- Microsoft Defender Antivirus

+**Platforms**

+- Windows

+- Windows Server

+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-exposedapis-abovefoldlink)

+Microsoft Defender for Endpoint is an enterprise endpoint security platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats.

+> [!TIP]

+> Microsoft Defender for Endpoint is available in two plans, Defender for Endpoint Plan 1 and Plan 2. A new Microsoft Defender Vulnerability Management add-on is now available for Plan 2.

+## Appendix A - Security Intelligence Updates

+Microsoft continually updates security intelligence in antimalware products to cover the latest threats and to constantly tweak detection logic. The updates enhance the ability of Microsoft Defender Antivirus and other Microsoft antimalware solutions to accurately identify threats. This security intelligence works directly with cloud-based protection to deliver fast and powerful AI-enhanced, next-generation protection.

+### References:

+- [Security intelligence updates for Microsoft Defender Antivirus and other Microsoft antimalware](https://www.microsoft.com/en-us/wdsi/defenderupdates)

+- [Description of Forefront endpoint security definition updates](https://support.microsoft.com/topic/description-of-forefront-endpoint-security-definition-updates-b0833c24-fab3-390b-820b-3835beeb03b3)

+## Appendix B - Engine Updates

+Engine updates are the updates for the scan engine, which is used by the ΓÇ£Security Intelligence UpdatesΓÇ¥. First released on July 15, 2010.

+## Appendix C - Platform Updates

+Platform Updates, are the .exeΓÇÖs, dllΓÇÖs, and .sysΓÇÖs for the Microsoft Defender Antivirus service.

+| Channel: | Version: | Revision: |   | Remarks |

+|:|:|:|:|:|

+| **Beta Channel - Prerelease** | 4.18.2304.4 | ΓÇÿ23 April, minor rev 4 | n/a | This channel is the one you want to test for app compatibility, reability and performance. |

+| **Current Channel (Preview)** | 4.18.2303.8 | ΓÇÿ23 Mar, minor rev 8 | n/a | Same as for _Beta Channel - Prerelease_ |

+| **Current Channel (Staged)** | 4.18.2303.7 | ΓÇÿ23 Mar, minor rev 7 | n/a | Same as for _Beta Channel - Prerelease_ |

+| **Current Channel (Broad)** | 4.18.2302.7 <br> see note | ΓÇÿ23 Feb, minor rev 7 | ΓÇÖ23 Mar | This channel is the one you want to push out to 90%-100% of your production systems. |

+> [!NOTE]

+> Where **23** == _2023_, **02** == _February_, and **.7** is the _minor revision_.

+## See also

+[Microsoft Defender Antivirus pilot ring deployment using Group Policy and Windows Server Update Services](microsoft-defender-antivirus-pilot-ring-deployment-group-policy-wsus.md)

+ Title: Ring deployment using Intune and Microsoft Update (MU)

+description: Microsoft Defender Antivirus is an enterprise endpoint security platform that helps defend against advanced persistent threats. This article provides information about how to use a ring deployment method to update your Microsoft Defender Antivirus clients using Intune and Microsoft Update (MU).

+keywords: deploy Microsoft Defender Antivirus updates, ring deployment Microsoft Defender Antivirus, Microsoft Defender Antivirus Intune Microsoft Defender Antivirus Microsoft Update, Microsoft Defender Antivirus Intune MU, threat intelligence, cybersecurity, cloud security,

+ms.mktglfcycl: deploy

+ms.sitesec: library

+ms.pagetype: security

+ms.localizationpriority: high

+audience: ITPro

+- m365-security

+- tier1

+search.appverid: met150

+# Microsoft Defender Antivirus ring deployment using Intune and direct internet access for Microsoft Update

+**Applies to:**

+- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037)

+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)

+- Microsoft Defender Antivirus

+**Platforms**

+- Windows

+- Windows Server

+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-exposedapis-abovefoldlink)

+Microsoft Defender for Endpoint is an enterprise endpoint security platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats.

+> [!TIP]

+> Microsoft Defender for Endpoint is available in two plans, Defender for Endpoint Plan 1 and Plan 2. A new Microsoft Defender Vulnerability Management add-on is now available for Plan 2.

+>

+> For more information on the features and capabilities included in each plan, including the new Defender Vulnerability Management add-on, see [Compare Microsoft Defender for Endpoint plans](defender-endpoint-plan-1-2.md).

+## Setting up the pilot environment

+This section describes the process for setting up the pilot UAT / Test / QA environment.

+On about 10-500* Windows and/or Windows Server systems, depending on how many total systems that you all have:

+In the Intune portal [https://endpoint.microsoft.com](https://endpoint.microsoft.com), create or append to your Microsoft Defender Antivirus policy the following setting:

+For example, your pilot policy named _MDAV_Settings_Pilot_. If you have a Citrix environment, include at least one Citrix VM (non-persistent and/or persistent).

+> [!NOTE]

+> Security intelligence update (SIU) is equivelant to signature updates, which is the same as definition updates.

+Recommended settings are as follows:

+|Feature | Recommendation |

+|: |: |

+| Engine Updates Channel | Beta Channel |

+| Platform Updates Channel | Beta Channel |

+| Security Intelligence Updates Channel | Current Channel (Staged) |

+### References

+- [Antivirus profiles - Devices managed by Microsoft Intune](/mem/intune/protect/endpoint-security-antivirus-policy#antivirus-profiles)

+- [Use Endpoint security Antivirus policy to manage Microsoft Defender update behavior](/mem/intune/fundamentals/whats-new#use-endpoint-security-antivirus-policy-to-manage-microsoft-defender-update-behavior-preview)

+## Setting up the Production environment

+In the Intune portal [https://endpoint.microsoft.com](https://endpoint.microsoft.com), create or append to your Microsoft Defender Antivirus policy using the following setting:

+For example, your production policy named _MDAV_Settings_Production_.

+|Feature | Recommendation | Comments |

+|: |: |: |

+| Engine Updates Channel | Critical ΓÇô Time delay | It's delayed by two days.|

+| Platform Updates Channel | Critical ΓÇô Time delay | It's delayed by two days.|

+| Security Intelligence Updates Channel | Current Channel (Broad) | This configuration provides you with 3 hours of time to find an FP and prevent the production systems from getting an incompatible signature update. |

+### If you encounter problems

+If you encounter problems with your deployment, change the source of the Microsoft Defender Antivirus updates:

+1. In the Intune portal [https://endpoint.microsoft.com](https://endpoint.microsoft.com), go to **Endpoint Security**, select **Antivirus**, and then find your Intune production policy (for example, MDAV_Settings_Production), and then, in **Configuration settings**, select **Edit**.

+1. Change the entry to **FileShares**. This change is shown in the following figure.

+ :::image type="content" source="images/microsoft-defender-antivirus-deploy-ring-intune-microsoft-defender-antivirus-production-policy-fallback.png" alt-text="Shows Intune Microsoft Defender Antivirus production policy fallback setting." lightbox="images/microsoft-defender-antivirus-deploy-ring-intune-microsoft-defender-antivirus-production-policy-fallback.png":::

+#### What this change does

+It forces Microsoft Defender Antivirus to look for the **Security Intelligence Update**, **Engine Update** or **Platform Update** from a file share that doesnΓÇÖt exist.

+#### How long does it take for the Intune policy to refresh?

+If you update a policy, itΓÇÖs within a few minutes (3-5 minutes) via WNS, as long the WNS URLs' are open.

+Reference: [Intune actions that immediately send a notification to a device](/mem/intune/configuration/device-profile-troubleshoot#intune-actions-that-immediately-send-a-notification-to-a-device)

+After the issue is resolved, set the ΓÇ£Signature Update Fallback OrderΓÇ¥ back to the original setting"

+`InternalDefinitionUpdateServder|MicrosoftUpdateServer|MMPC|FileShare`

+## See also

+[Microsoft Defender Antivirus ring deployment](microsoft-defender-antivirus-ring-deployment.md)

+ Title: Ring deployment using System Center Configuration Manager and Windows Server Update Services

+description: Microsoft Defender Antivirus is an enterprise endpoint security platform that helps defend against advanced persistent threats. This article provides information about how to use a ring deployment method to update your Microsoft Defender Antivirus clients using System Center Configuration Manager (SCCM) and Windows Server Update Services (WSUS).

+keywords: deploy Microsoft Defender Antivirus updates, ring deployment Microsoft Defender Antivirus, Microsoft Defender Antivirus SCCM, Microsoft Defender Antivirus WSUS, Microsoft Defender Antivirus SCCM and WSUS, threat intelligence, cybersecurity, cloud security,

+ms.mktglfcycl: deploy

+ms.sitesec: library

+ms.pagetype: security

+ms.localizationpriority: high

+audience: ITPro

+- m365-security

+- tier1

+search.appverid: met150

+# Microsoft Defender Antivirus ring deployment using System Center Configuration Manager and Windows Server Update Services

+**Applies to:**

+- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037)

+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)

+- Microsoft Defender Antivirus

+**Platforms**

+- Windows

+- Windows Server

+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-exposedapis-abovefoldlink)

+Microsoft Defender for Endpoint is an enterprise endpoint security platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats.

+> [!TIP]

+> Microsoft Defender for Endpoint is available in two plans, Defender for Endpoint Plan 1 and Plan 2. A new Microsoft Defender Vulnerability Management add-on is now available for Plan 2.

+>

+> For more information on the features and capabilities included in each plan, including the new Defender Vulnerability Management add-on, see [Compare Microsoft Defender for Endpoint plans](defender-endpoint-plan-1-2.md).

+## Setting up the pilot environment

+This section describes the process for setting up the pilot UAT / Test / QA environment.

+> [!NOTE]

+> Security intelligence update (SIU) is equivelant to signature updates, which is the same as definition updates.

+On about 10-500 Windows and/or Windows Server systems, depending on how many total systems that you all have.

+> [!NOTE]

+> If you have a Citrix enviroment, include at least 1 Citrix VM (non-persistent) and/or (persistent)

+1. In **System Center Configuration Manager** > **Create Automatic Deployment Rule Wizard** > **General** page, in **Specify the setting for this automatic deployment rule**, make the following settings:

+

+ | In: | Change: |

+ |:|:|

+ | **Name** | Type a name for your deployment rule. For example, type _MDE-MDAV_Security_Intelligence_Update_Pilot_ |

+ | **Description** | Type a brief description for your pilot |

+ | **Template** | Select **SCEP and Windows Defender Antivirus Updates** |

+ | **Collection** | Type **Windows_Security_Intelligence_Pilot** |

+ | **Each time the rule runs and finds new updates**. | Select **Create a new Software Update Group** |

+ | **Each time the rule runs and finds new updates** | Select **Enable the deployment after this rule is run** |

+1. Select **Next**. On the **Deployment Settings** page, under **Specify the settings for this Automatic Deployment Rule**, then do the following:

+

+ | In: | Change: |

+ |:|:|

+ | **Type of deployment** | Select **Required** |

+ | **Detail level** | Select **Only error messages** |

+ | **Some software updates include a license agreement** | Select **Automatically deploy all software updates found by this rule, and approve any license agreements**. |

+

+1. Select **Next**. On the **Software Updates** page, under **Select the property filters and search criteria**, make the following settings:

+

+ | In: | Change: |

+ |:|:|

+ | **Property filters** | Select **Article ID** and **Date Released or Revised** |

+ | **Search Criteria** | Enter the following <br> **Article ID** = **2267602** <br> **Date Released or Revised** = **Last 1 month** <br> **Product** = **Windows Defender** <br> **Superseded** = **No** <br> **Update Classification** = **"Critical Updates" OR "Definition Updates"** |

+

+ These settings are shown in the following image:

+

+ :::image type="content" source="images/microsoft-defender-antivirus-deploy-ring-sccm-wizard-software-updates.png" alt-text="Shows recommended Intune Microsoft Defender Antivirus pilot policy settings for the Software Updates page." lightbox="images/microsoft-defender-antivirus-deploy-ring-sccm-wizard-software-updates.png":::

+

+ > [!TIP]

+ > Click **Preview** - to make sure ΓÇ£Security Intelligence Update for Windows Defender AntivirusΓÇ¥ is listed. You should see **KB2267602**.

+

+ > [!NOTE]

+ > **Date Released or Revised: Last 1 month** - If your WSUS/SUP have been healthy, you may want to set this to ΓÇ£Last 1 weekΓÇ¥.

+ >

+ > **Product: ΓÇ£Windows DefenderΓÇ¥** - We are removing ΓÇ£System Center Endpoint ProtectionΓÇ¥, because we want to target this to only the operating systems that have Microsoft Defender Antivirus.

+ >

+ > **Update Classification**: ΓÇ£Critical UpdatesΓÇ¥ and ΓÇ£Definition UpdatesΓÇ¥

+

+1. Select **Next**. On the **Evaluation Schedule** page, under **Specify the recurring schedule for this rule**, select **Run the rule on a schedule**, and then select **Customize**.

+1. On the **Deployment Schedule** page, under **Configure schedule details for this deployment**, do the following:

+

+ | In: | Change: |

+ |:|:|

+ | **Schedule evaluation** > **Time based on** | Select **UTC** |

+ | **Software available time** | Select **As soon as possible** |

+ | **Installation deadline** | Select **As soon as possible** |

+

+1. Select **Next**. On the **User Experience** page, under **Specify the user experience for this deployment**, ensure the following are selected:

+

+ | In: | Change: |

+ |:|:|

+ | **User visual experience** > **User notifications** | Select **Hide in Software center and all notifications** |

+ | **Deadline behavior** | Select **Software Update Installation** |

+ | **Device restart behavior** | Select **Servers** |

+ | **Write filter handling for Windows Embedded devices** | Select **Commit changes at deadline or during a maintenance windows (requires restarts)** |

+

+1. Select **Next**. On the **Alerts** page, under **Specify software update alert options for this deployment**, select **Generate an alert when this Rule fails**, and then select **Next**.

+

+1. On the top-level **Deployment Package** page, under **Select deployment package for this automatic deployment rule**, select **Create a new deployment package**, and then do the following:

+

+ | In: | Change: |

+ |:|:|

+ | **Name** | Type a name for your new deployment package. For example, type _MDE-MDAV Security Intelligence Update_. |

+ | **Description** | Type a brief description for your new deployment package |

+ | **Package Source (Example): \\_server_name_\_folder path_** | Type the path to your package source. For example, type _\\sccm\deployment\MDE-MDAV_Security_Intelligence_Updates_Pilot_ <br> or select **Browse** to navigate to - and select - your package source. |

+ | **Sending piroity:** | Select **High** and select **Enable binary differential replication** |

+

+1. Select **Next**. On the **Distribution point** page, under **Specify the distribution points or distribution point groups to host the content**, select **Add** and then specify your distribution point or distribution point groups.

+

+1. Select **Next**. On the **Distribution location** page, under **Specify download location for this Automatic Deployment Rule**, select **Download software updates from the Internet**, and then select **Next**.

+

+1. On the **Distribution location** page, under **Specify the update languages for product**, under **product**, select **Windows Update**.

+

+1. Select **Next**. On the **Download Settings** page, under **Specify the software updates download behavior for clients on slow site boundaries**, select the following:

+

+ | In: | Change: |

+ |:|:|

+ | **Name** | In **Deployment options** select **Download software updates from distribution point and install** |

+ | **Deployment options** | Select **Download and install software updates from the distribution points in site default boundary group** |

+ | **Deployment options** | Select **"Prefer cloud based sources over on-premises sources" is configures in the boundary group settings, Microsoft update will be the preferred source.** |

+

+1. Select **Next**. On the **Summary** page, under **Confirm the settings**, review the settings. Example settings are shown in the following figure.

+

+ :::image type="content" source="images/microsoft-defender-antivirus-deploy-ring-sccm-wizard-confirm-settings.png" alt-text="Shows the configuration details for the newly configured Automatic Deployment Rule." lightbox="images/microsoft-defender-antivirus-deploy-ring-sccm-wizard-confirm-settings.png":::

+1. Select **Next**. Wait until the process completes and the **Completion** page opens. Select **Close** to finish the process. Automatic Deployment rules are saved, and can be managed from the location shown in the following figure:

+

+ :::image type="content" source="images/microsoft-defender-antivirus-deploy-ring-sccm-manage-pilot-policys.png" alt-text="Shows the Configuration Manager Software library and configured Automatic Deployment Rules." lightbox="images/microsoft-defender-antivirus-deploy-ring-sccm-manage-pilot-policys.png":::

+## Setting up the production environment

+1. In the System Center Configuration Manager > **Create Automatic Deployment Rule Wizard** > **General** page, in **Specify the setting for this automatic deployment rule**, make the following settings:

+

+ | In: | Change: |

+ |:|:|

+ | **Name** | Type a name for your deployment rule. For example, type _MDE-MDAV_Security_Intelligence_Update_Production_ |

+ | **Description** | Type a brief description for your pilot |

+ | **Template** | Select **SCEP and Windows Defender Antivirus Updates** |

+ | **Collection** | Type **Windows_Security_Intelligence_Production** |

+ | **Each time the rule runs and finds new updates**. | Select **Add to an existing Software Update Group** |

+ | **Each time the rule runs and finds new updates** | Select **Enable the deployment after this rule is run** |

+1. Select **Next**. On the **Deployment Settings** page, under **Specify the settings for this Automatic Deployment Rule**, then do the following:

+

+ | In: | Change: |

+ |:|:|

+ | **Type of deployment** | Select **Required** |

+ | **Detail level** | Select **Only error messages** |

+ | **Some software updates include a license agreement** | Select **Automatically deploy all software updates found by this rule, and approve any license agreements**. |

+

+1. Select **Next**. On the **Software Updates** page, under **Select the property filters and search criteria**, enter the following:

+

+ | In: | Change: |

+ |:|:|

+ | **Property filters** | Select **Product** and **Update Classification** |

+ | **Search Criteria** | Enter the following product and update classifications: <br> **Article ID** = _2267602_ <br> **Date Released or Revised** = _Last 1 month_ <br> **Product** = _Windows Defender_ <br> **Superseded** = _No_ <br> **Update Classification** = _Critical Updates_ OR _Definition Updates_ |

+

+ > [!TIP]

+ > Click **Preview** - to make sure ΓÇ£Security Intelligence Update for Windows Defender AntivirusΓÇ¥ is listed. You should see **KB2267602**.

+

+ > [!NOTE]

+ > **Date Released or Revised: Last 1 month** - If your WSUS/SUP have been healthy, you may want to set this to **Last 1 week**.

+ >

+ > **Product: ΓÇ£Windows DefenderΓÇ¥** - We are removing ΓÇ£System Center Endpoint ProtectionΓÇ¥, because we want to target this to only the operating systems that have Microsoft Defender Antivirus.

+ >

+ > **Update Classification**: ΓÇ£Critical UpdatesΓÇ¥ and ΓÇ£Definition UpdatesΓÇ¥

+

+1. Select **Next**. On the **Evaluation Schedule** page, under **Specify the recurring schedule for this rule**, select **Run the rule on a schedule**, and then select **Customize**.

+1. On the **Deployment Schedule** page, under **Configure schedule details for this deployment, do the following:

+

+ | In: | Change: |

+ |:|:|

+ | **Schedule evaluation** > **Time based on** | Select **UTC** |

+ | **Software available time** | Select **As soon as possible** |

+ | **Installation deadline** | Select **As soon as possible** |

+

+1. Select **Next**. On the **User Experience** page, under **Specify the user experience for this deployment**, ensure the following are selected:

+

+ | In: | Change: |

+ |:|:|

+ | **User visual experience** > **User notifications** | Select **Hide in Software center and all notifications** |

+ | **Deadline behavior** | Select **Software Update Installation** |

+ | **Device restart behavior** | Select **Servers** |

+ | **Write filter handling for Windows Embedded devices** | Select **Commit changes at deadline or during a maintenance windows (requires restarts)** |

+

+1. Select **Next**. On the **Alerts** page, under **Specify software update alert options for this deployment**, select **Generate an alert when this Rule fails**, select **Browse**, navigate to, and select the deployment package and then select **Next**.

+

+1. On the top-level **Deployment Package** page, under **Select deployment package for this automatic deployment rule**, select **Select a deployment package**.

+

+1. On the **Download Location page**, under **Specify download location for this Automatic Deployment Rule**, select **Download software updates from the Internet**, and then select **Next**.

+

+1. On the **Language Selection** page, under **Specify the update languages for product**, under **Product**, specify the necessary Product and Update languages.

+

+1. Select **Next**. On the **Download Settings** page, under **Specify the software updates download behavior for clients on slow site boundaries**, select the following:

+

+ | In: | Change: |

+ |:|:|

+ | **Deployment options** | Select **Download and install software updates from the distribution points and install** |

+ | **Deployment options** | Select **Download and install software updates from the distribution points site default boundary group** |

+ | **Deployment options** | Select **"Prefer cloud based sources over on-premises sources" is configures in the boundary group settings, Microsoft update will be the preferred source.** |

+

+1. Select **Next**. On the **Summary** page, under **Confirm the settings**, review the settings. Example settings are shown in the following figure:

+

+ :::image type="content" source="images/microsoft-defender-antivirus-deploy-ring-sccm-wizard-confirm-production-settings.png" alt-text="Shows as screen capture of the configuration details for the newly configured Automatic Deployment Rule for a production environment." lightbox="images/microsoft-defender-antivirus-deploy-ring-sccm-wizard-confirm-production-settings.png":::

+1. Select **Next**. Wait until the process completes and the **Completion** page opens. Select **Close** to finish the process.

+### If you encounter problems

+1. Navigate to **Software Library**

+1. Under **Software Updates**, select on **Automatic Deployment Rules**, right-click on **MDE-MDAV_Security_Intelligence_Update_Production**, and then select **Disable**. This setting is shown in the following figure:

+ :::image type="content" source="images/microsoft-defender-antivirus-deploy-ring-sccm-disable-automatic-deployment-rules.png" alt-text="hows as screen capture of how to disable Automatic Deployment Rules if you encounter errors or problems." lightbox="images/microsoft-defender-antivirus-deploy-ring-sccm-disable-automatic-deployment-rules.png":::

+## See also

+[Microsoft Defender for Endpoint ring deployment](microsoft-defender-antivirus-ring-deployment.md)

+ Title: Microsoft Defender Antivirus ring deployment guide overview

+description: Microsoft Defender Antivirus is an enterprise endpoint security platform that helps defend against advanced persistent threats. This article provides an overview about how to use ring deployment methods to update your Microsoft Defender Antivirus clients.

+keywords: deploy Microsoft Defender Antivirus updates, ring deployment Microsoft Defender Antivirus, threat intelligence, cybersecurity, cloud security,

+ms.mktglfcycl: deploy

+ms.sitesec: library

+ms.pagetype: security

+ms.localizationpriority: high

+audience: ITPro

+- m365-security

+- tier1

+search.appverid: met150

+# Deploy Microsoft Defender Antivirus in rings

+**Applies to:**

+- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037)

+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)

+- Microsoft Defender Antivirus

+**Platforms**

+- Windows

+- Windows Server

+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-exposedapis-abovefoldlink)

+Microsoft Defender for Endpoint is an enterprise endpoint security platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats.

+> [!TIP]

+> Microsoft Defender for Endpoint is available in two plans, Defender for Endpoint Plan 1 and Plan 2. A new Microsoft Defender Vulnerability Management add-on is now available for Plan 2.

+>

+> For more information on the features and capabilities included in each plan, including the new Defender Vulnerability Management add-on, see [Compare Microsoft Defender for Endpoint plans](defender-endpoint-plan-1-2.md).

+Deploying Microsoft Defender for Endpoint can be done using a ring-based deployment approach and updating using the gradual rollout process.

+## Ring deployment overview

+It's important to ensure that client components are up-to-date to deliver critical protection capabilities and prevent attacks.

+Capabilities are provided through several components:

+- [Endpoint Detection & Response](overview-endpoint-detection-response.md)

+- [Next-generation protection](microsoft-defender-antivirus-windows.md) with [cloud-delivered protection](cloud-protection-microsoft-defender-antivirus.md)

+- [Attack Surface Reduction](overview-attack-surface-reduction.md)

+Updates are released monthly using a gradual release process. This process helps to enable early failure detection to identify problematic results in your unique environment as it occurs and address it quickly before a larger rollout.

+> [!NOTE]

+> For more information on how to control daily security intelligence updates, see [Schedule Microsoft Defender Antivirus protection updates](manage-protection-update-schedule-microsoft-defender-antivirus.md). Updates ensure that next-generation protection can defend against new threats, even if cloud-delivered protection is not available to the endpoint.

+This article provides overview information about deploying Microsoft Defender Antivirus in rings for a gradual rollout process.

+## Management tools

+To create your own custom gradual rollout process for daily and/or monthly updates, you can use the following methods that use the tools:

+- **Microsoft Intune and Microsoft Update** microsoft-intune-and-microsoft-update - Requires direct access to the internet. Microsoft Update (MU), formerly known as Windows Update (WU)

+- **System Center Configuration Manager and Windows Server Update Services** - System Center Configuration Manager (SCCM) Software Update Point (SUP) = SCCM + Windows Server Update Services (WSUS)

+- **Group Policy and Microsoft Update** - Requires direct access to the internet

+- **Group Policy and network share** - For example, UNC path, SMB, CIFS

+- **Group Policy and WSUS**

+For details on how to use these tools, see [Create a custom gradual rollout process for Microsoft Defender updates](configure-updates.md).

+Customers that prioritize availability over security, should take a crawl, walk, run approach.

+## Deployment scenarios

+- [Ring deployment using Intune and Microsoft Update](microsoft-defender-antivirus-ring-deployment-intune-microsoft-update.md)

+- [Ring deployment using System Center Configuration Manager and Windows Server Update Services (WSUS)](microsoft-defender-antivirus-ring-deployment-sscm-wsus.md)

+- [Ring deployment using Group Policy and Microsoft Update](microsoft-defender-antivirus-ring-deployment-group-policy-microsoft-update.md)

+- [Ring deployment using Group Policy and network share](microsoft-defender-antivirus-ring-deployment-group-policy-network-share.md)

+- Ring deployment using Group Policy and Windows Server Update Services

+ - [Pilot ring deployment using Group Policy and Windows Server Update Services](microsoft-defender-antivirus-pilot-ring-deployment-group-policy-wsus.md)

+ - [Production ring deployment using Group Policy and Windows Server Update Services](microsoft-defender-antivirus-production-ring-deployment-group-policy-wsus.md)

+| `Location` | `string` | City, country/region, or other geographic location associated with the event |

+| `Location` | `string` | City, country/region, or other geographic location associated with the event |

+Run this query to find out if there were any anomalous login events from this user. For example: unknown IPs, new applications, uncommon countries/regions, multiple LogonFailed events.

+|Live response capabilities - advanced|Security operations \ Advanced live response (manage) </br> Security operations \ Security data \ File collection (manage)|

+|Global administrator|Security operations \ Security data \ Security data basics (read)</br>Security operations \ Security data \ Alerts (manage) </br>Security operations \ Security data \ Response (manage)</br>Authorization and settings \ Authorization \ (All permissions)</br>Authorization and settings \ Security settings \ (All permissions)</br>Authorization and settings \ System settings \ (All permissions)|_**Defender for Endpoint only permissions**_ </br>Security operations \ Basic live response (manage)</br>Security operations \ Advanced live response (manage) </br> Security operations \ Security data \ File collection (manage) </br>Security posture \ Posture management \ Vulnerability management (read)</br>Security posture \ Posture management \ Exception handling (manage)</br>Security posture \ Posture management \ Remediation handling (manage)</br>Security posture \ Posture management \ Application handling (manage)</br>Security posture \ Posture management \ Security baseline assessment (manage)</br></br> _**Defender for Office only permissions**_ </br> Security operations \ Security data \ Email quarantine (manage)</br>Security operations \ Security data \ Email advanced actions (manage)</br>Security operations \ Raw data (Email & collaboration) \ Email message headers (read)|

+|Security operator|Security operations \ Security data \ Security data basics (read) </br>Security operations \ Security data \ Alerts (manage) </br>Security operations \ Security data \ Response (manage)</br>Authorization and settings \ Security settings \ (All permissions)|_**Defender for Endpoint only permissions**_</br>Security operations \ Security data \ Basic live response (manage)</br>Security operations \ Security data \ Advanced live response (manage)</br> Security operations \ Security data \ File collection (manage) </br>Security posture \ Posture management \ Vulnerability management (read)</br>Security posture \ Posture management \ Exception handling (manage)</br>Security posture \ Posture management \ Remediation handling (manage)</br></br>_**Defender for Office only permissions**_ </br>Security operations \ Raw data (Email & collaboration) \ Email message headers (read)</br>Authorization and settings \ System settings \ (All permissions)</br></br>_**Defender for Identity only permissions**_ </br>Authorization and settings \ System settings \ (read)|

+|File collection|Manage|Collect or download relevant files for analysis, including executable files.|

+Use the below query for identifying uncommon countries/regions:

+ Title: What's new in Microsoft 365 Defender Unified role-based access control (RBAC)

+description: See what features are available in the latest release of Microsoft 365 Defender Unified role-based access control (RBAC)

+search.appverid: met150

+ms.localizationpriority: medium

+audience: ITPro

+ - m365-security-compliance

+ - tier2

+# What's new in Microsoft 365 Defender Unified role-based access control (RBAC)

+This article provides information about new features and important product updates for the latest release of Microsoft 365 Defender Unified role-based access control (RBAC).

+## August 2023

+**A new file collection permission in Microsoft 365 Defender Unified (RBAC) is now in Public Preview** </br>

+You can now assign a new granular permission in Microsoft 365 Defender Unified (RBAC) that allows users to collect or download files for analysis. This permission enables Microsoft Defender for Endpoint users download files directly from the file page and during a live response investigation in the live response console.

+You can add the new permission to a custom role by selecting it from the **Security operations** permissions group when creating the role. For more information, see [Create custom roles with Microsoft 365 Defender RBAC](./create-custom-rbac-roles.md).

+For more information on what's new with other Microsoft Defender security products, see:

+- [What's new in Microsoft Defender Vulnerability Management](../defender-vulnerability-management/whats-new-in-microsoft-defender-vulnerability-management.md)

+- [What's new in Microsoft Defender for Endpoint](../defender-endpoint/whats-new-in-microsoft-defender-endpoint.md)

+- [What's new in Microsoft 365 Defender](../defender/whats-new.md)

+- [What's new in Microsoft Defender for Office 365](../office-365-security/defender-for-office-365-whats-new.md)

+- [What's new in Microsoft Defender for Identity](/defender-for-identity/whats-new)

+- [What's new in Microsoft Defender for Cloud Apps](/cloud-app-security/release-notes)

+ - **Search**: In :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: **Search by Country**, you can type part of the Country/region value and then press Enter. You can select some or all of the results.

+ - Select existing City values. If the link is available, select **See all Countries** to see the complete list of available Country/region values.

+|`CTRY`|The source country/region as determined by the connecting IP address, which might not be the same as the originating sending IP address.|

+### Use the Visio templates and stencils

+Download the template and stencils and save them to your computer in the **My Shapes** folder.

+When you do that, you can choose **File** > **New** in Visio and the templates will be on the **Templates** tab, available for use. The stencils should open with the template. If they do not open automatically, you can open the Shapes window and choose **More Shapes** > **My Shapes** > **Organize My Shapes** to open them.

+For more information, see [Import downloaded stencils](https://support.microsoft.com/office/import-downloaded-stencils-74bbdce1-4872-4d5b-af4c-e93fa23f7008).

+|Use records management for high-value items that must be managed for business, legal, or regulatory record-keeping requirements.| A records management system is a solution for organizations to manage regulatory, legal, and business-critical records.<p><p>Microsoft Purview Records Management helps an organization manage their legal obligations, provides the ability to demonstrate compliance with regulations, and increases efficiency with regular disposition of items that are no longer required to be retained, no longer of value, or no longer required for business purposes.| [Learn more about records management](/purview/records-management)|

+ Title: Create a rule to set a content type when a file is added to a document library in Microsoft Syntex

+audience: admin

+search.appverid:

+ - enabler-strategic

+ - m365initiative-syntex

+ms.localizationpriority: medium

+description: Learn how to create a rule to set a content type when a file is added to a SharePoint document library in Microsoft Syntex.

+# Create a rule to set a content type when a file is added to a document library in Microsoft Syntex

+In Microsoft Syntex, you can create a rule to automatically set the content type for a file when it's added to a document library.

+## Set a content type

+To set a content type when a file is added to a document library, follow these steps.

+1. In the document library, select **Automate** > **Rules** > **Create a rule**.

+ 

+2. On the **Create a rule** page, select a condition that triggers the rule and the action that the rule will take. In this case, select **A new file is added**.

+ 

+ Your selection here creates a rule statement that you'll complete in the next step.

+3. To complete the rule statement, under **When a new file is added**:

+ 1. Select **Choose action**, and then select **set content type to**.

+ 

+ 2. Select **Choose a content type**, and then select the appropriate [content type](/sharepoint/governance/content-type-and-workflow-planning#content-type-overview) for the file. The content types shown in this list are the ones available in the library.

+ 

+ 3. Select **Choose file property**, and then select the appropriate property for the file.

+ 4. Select **Choose a condition**, and then select the appropriate condition.

+ 5. In the **Enter a value** field, enter the appropriate value. The value can be a specific keyword or text string you want to find in the file property.

+ 

+4. When your rule statement is complete, select **Create**. You can [see and manage the new rule](content-processing-overview.md#manage-a-rule) on the **Manage rules** page.

+ > If you try to set up a rule to move or copy a file to a library that already has a move or copy rule applied, you'll receive a message saying that you need to disable all move or copy rules on the destination library. To disable a rule, see [Manage a rule](content-processing-overview.md#manage-a-rule).<br>

+ 4. When your rule statement is complete, select **Create**. You can [see and manage the new rule](content-processing-overview.md#manage-a-rule) on the **Manage rules** page.

+## Manage a rule

+1. In the document library, select **Automate** > **Rules** > **Manage rules**.

+ 

+2. On the **Manage rules** page, you can see the rules that have been applied. You can turn on or off a rule or create a new rule to automate actions on a specific document library.

+ 

+<!

+## Syntex processing rules

+[Create a rule to move or copy a file from one document library to another](content-processing-create-rules.md)

+[Create a rule to set a content type when a file is added to a document library](content-processing-content-type.md)>

+[TermSets](/dotnet/api/microsoft.sharepoint.client.taxonomy.termset) are logically grouped together in [TermGroups](/dotnet/api/microsoft.sharepoint.client.taxonomy.termgroup). The required field for defining a [TermSet](/dotnet/api/microsoft.sharepoint.client.taxonomy.termset) is:

+If the termSetName provided isn't unique within the [TermGroup](/dotnet/api/microsoft.sharepoint.client.taxonomy.termgroup), SharePoint appends a number at the end of the name to maintain the uniqueness of termSetName(s).

+- Merge and extract PDFs in OneDrive for Android and iOS

+> This article is currently being updated for pay-as-you-go trials. The article will describe how to set up and run a trial pilot program to deploy Microsoft Syntex in your organization. Per-user trials are no longer available.

+> - Scripts should not reboot the machine, if a reboot is necessary please specify this during the upload of your scripts.

+> - Do not modify the DNS Suffix Search List in Windows IP Configuration.

+Test Base is an Azure service that enables data-driven application testing for users anywhere in the world.

+The following institutions are best fit to onboard their applications, binaries, and test scripts to Test Base for Microsoft 365: Enterprise/Businesses, Independent Software Publishers, System Integrators (SIs), and IT Professionals who want to validate their line-of-business (LOB) applications through integration with Microsoft Intune.

+The Test Base for Microsoft 365 service can accommodate your expanding testing matrix, ensuring continuous confidence in the integrity, compatibility, and usability of your applications.

+Test Base ensures that your applications continue working as expected, even when platform dependencies vary, or when the Windows update service applies new Windows updates. With Test Base, you can avoid the aggravation, protracted time commitments, and expenses of setting up and maintaining a complex lab environment for testing your applications.

+In addition, you can automatically test your applicationsΓÇÖ compatibility against security and feature updates for Windows by using secure virtual machines (VMs). Doing so allows you to obtain access to world-class intelligence for testing your applications. You can also test your apps compatibility with prerelease Windows security updates ΓÇö submit a request to get access.

+After a customer has enrolled in the Test Base service, itΓÇÖs easy to begin uploading application packages for testing.

+Following a successful upload, packages are tested against Windows prerelease updates.

+After initial tests are successfully completed, the customer can do a deep dive with insights on performance and regression analysis to detect whether prerelease updates degraded application performance in any way.

+However, if the package fails any test, customers can use insights from memory or CPU regressions to remediate the failure and update the package as necessary to rerun.

+> **For customers to take advantage of prerelease update testing, they must specifically request access to it. Once your request for access to prerelease updates is approved, your uploaded packages will automatically get scheduled to be tested against prerelease Windows updates for the OS versions selected during package uploading.**.

+As new Windows prerelease updates become available, existing application packages are automatically tested with the new prerelease content. Following each test, another round of insights is provided. If customers donΓÇÖt specifically request access to prerelease testing, their application packages are tested against only the current released version of Windows.

+After packages are successfully tested, customers can resolve any issues found during testing and deliver their applications to their end users with the assurance that Test Base did its job.

+ Title: 'How to prepare a Windows VHD for Test Base'

+description: The guidance of how to prepare a Windows VHD for Test Base

+search.appverid: MET150

+audience: Software-Vendor

+ms.localizationpriority: medium

+f1.keywords: NOCSH

+# How to prepare a Windows VHD for Test Base

+Before you upload a Windows virtual machine (VM) from on-premises to Test Base, you need to prepare the virtual hard disk (VHD) first.

+Test Base only supports generation 2 VMs that use the VHD file format and have a fixed-size disk.

+The maximum size for the OS VHD on a generation 2 VM is 128 GiB on Test Base.

+Test Base supports these Windows versions:

+- Windows 10 21H2 or later

+- Windows 11 21H2 or later

+- Windows Server 2016 or later

+You can convert a VHDX file to VHD, or convert a dynamically expanding disk to a fixed-size disk, but you cannot change the generation of a VM. You need to enable Hyper-V features on the host for VHD related operations.

+You cannot shrink the physical size of a VHD. If the total size of the volumes in the VHD exceeds the maximum OS VHD size (128 GiB) on Test Base, you need to recreate the VM in a smaller VHD or shrink the volumes in the VM before converting it to VHD.

+You need to follow the configuration steps below to make sure that the VM VHD is compatible with Test Base.

+## Step 1. Run the *AzureConfig.ps1* script for easy configuration

+To make the configuration steps easier we prepared a configuration script, you can download **[AzureConfig.ps1](https://github.com/microsoft/testbase/blob/main/CustomImage/AzureConfig.ps1)** and run the script as an administrator in PowerShell on the VM. You may need to configure PowerShell execution policy before running the script. Run `Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope CurrentUser` to bypass signing checks for the current user.

+After the script finishes, restart the computer.

+The **ChkDsk** will run during the system boot. Make sure the report shows a clean and healthy disk.

+The **Step-SetLocalPolicy** will set the local policy to disable the legal notice and allow storage of password and credentials for network authentication.

+## Step 2. Install Windows updates

+To prevent an accidental reboot during the VM provisioning, it is recommended to install all Windows updates and restart the VM before migrating it to Test Base.

+If you also need to generalize the OS (Sysprep), you need to update Windows and restart the VM before running the Sysprep command.

+## Step 3. Decide when to use Sysprep

+System Preparation Tool (`sysprep.exe`) is a process that resets a Windows installation.

+Sysprep removes all personal data and resets several components.

+You usually run `sysprep.exe` to create a template that you can use to deploy several other VMs with a specific configuration.

+The template is called a *generalized image*.

+If you want to create only one VM from one disk, you do not need to use Sysprep.

+You can create the VM from a *specialized image* instead.

+Note that Sysprep requires the drives to be fully decrypted before running.

+If you have enabled encryption on the VM, disable it before running Sysprep. The `AzureConfig.ps1` script should disable BitLocker for all volumes.

+### Generalize a VHD

+Follow these steps to generalize a VM VHD. After these steps, turn off the VM and do not turn it back on until you finish uploading the VHD.

+1. Sign in to the Windows VM.

+1. Run PowerShell as an administrator.

+1. Delete the panther directory (`C:\Windows\Panther`).

+1. Change the directory to `$env:windir\System32\sysprep`. Then run `sysprep.exe`.

+1. In the **System Preparation Tool** dialog box, select **Enter System Out-of-Box Experience (OOBE)** and check **Generalize**.

+ 

+1. In **Shutdown Options**, select **Shutdown**.

+1. Select **OK**.

+1. When Sysprep finishes, shut down the VM. If the generalization succeeds, the VM will be shut down automatically. Do not use **Restart** to shut down the VM.

+You can also use the following PowerShell script to generalize the VM VHD. Run the script as an administrator in PowerShell.

+```powershell

+Remove-Item "$($env:windir)\Panther" -Recurse -Force

+Push-Location "$($env:windir)\System32\sysprep"

+.\sysprep.exe /generalize /shutdown /oobe

+Pop-Location

+```

+The VHD is now generalized.

+### Install Azure Virtual Machine Agent for *specialized image*

+To create a VM from a *specialized image*, you need to install the `Azure Virtual Machine Agent` on the VM.

+Install the [Azure Virtual Machine Agent](https://go.microsoft.com/fwlink/?LinkID=394789) on the VM. Then you can enable VM extensions after the agent installation.

+The VM extensions provide most of the critical functionality that Test Base needs.

+You can also install the agent by running this PowerShell script as an administrator.

+```powershell

+$installerName = "WindowsAzureVmAgent.msi"

+$installerPath = "$PWD\$installerName"

+if (Test-Path $installerPath) {

+ Remove-Item $installerPath -Force

+}

+$installerDownloadLink = "https://go.microsoft.com/fwlink/?LinkID=394789"

+Invoke-WebRequest -Uri $installerDownloadLink -OutFile $installerPath

+$logPath = "$PWD\$installerName.log"

+Start-Process "msiexec.exe" -ArgumentList "/i `"$installerPath`" /qn /L*v `"$logPath`"" -PassThru -Wait

+```

+## Step 4. Convert and resize the virtual disk to a fixed size VHD

+Use this method to convert and resize the virtual disk for Test Base:

+1. Back up the VM before you start the conversion or resize process.

+1. Make sure that the Windows VHD works correctly on the local server. Fix any errors in the VM before you try to convert or upload it to Test Base.

+1. Convert the virtual disk type to `Fixed`.

+1. Resize the virtual disk to meet Test Base requirements:

+ 1. Disks in Azure must have a virtual size aligned to 1 MiB. If the VHD is not a multiple of 1 MiB, you need to resize the disk. Disks that are not multiples of 1 MiB cause errors when you create images from the uploaded VHD. Use the PowerShell `Get-VHD` cmdlet to show "Size", which must be a multiple of 1 MiB in Azure, and "FileSize", which will be equal to "Size" plus 512 bytes for the VHD footer.

+ ```powershell

+ $vhd = Get-VHD -Path C:\Test\TestBaseVM.vhd

+ $vhd.Size % 1MB

+ 0

+ $vhd.FileSize - $vhd.Size

+ 512

+ ```

+ 2. The maximum size for the OS VHD on Test Base is 128 GiB.

+### Use PowerShell to convert and resize the disk

+You can use the `Convert-VHD` and `Resize-VHD` PowerShell cmdlets to convert the virtual disk on the VM host for Test Base. Run this PowerShell script as an administrator. Replace `<PathToVHD>` with the path to the VHD that you want to upload.

+```powershell

+$vhdFilePath = "<PathToVHD>"

+$vhdFileItem = Get-Item $vhdFilePath

+$fixedSizeVHDFilePath = $vhdFileItem.Directory.FullName + "\" + $vhdFileItem.BaseName + '-Fixed.vhd'

+Convert-VHD -Path $vhdFilePath -DestinationPath $fixedSizeVHDFilePath -VHDType Fixed

+$fixedSizeVHD = Get-VHD -Path $fixedSizeVHDFilePath

+if ((($fixedSizeVHD.Size % 1MB) -ne 0) -or (($fixedSizeVHD.FileSize - $fixedSizeVHD.Size) -ne 512)) {

+ $originalSize = $fixedSizeVHD.Size

+ [UInt64]$originalMB = $originalSize / 1MB

+ $resizedBytes = ($originalMB + 1) * 1024 * 1024

+ Resize-VHD -Path $fixedSizeVHDFilePath -SizeBytes $resizedBytes

+}

+```

+After the script finishes, you will see a new VHD file with `-Fixed` at the end of its name in the same folder as the original VHD file.

+The new VHD file is converted and resized to be compatible with Test Base. It is a `Fixed` VHD type and has a size of 1 MiB alignment.

+Whiteboard currently stores content securely in Azure. Data might be stored in different locations, depending on the country/region and when Whiteboard switched to storing new content in those locations. To check where new data is created, see [Where your Microsoft 365 customer data is stored](/microsoft-365/enterprise/o365-data-locations).