Microsoft Defender for Endpoint supports gradual rollout of all update types – Security Intelligence Updates, Engine Updates, and also Platform Updates.
Types of components that are updated in Microsoft Defender for Endpoint
The three different components in Microsoft Defender for Endpoint mentioned above have different purposes and can have different update policies. Let’s first take a closer look on the components of Microsoft Defender for Endpoint that are regularly updated before we start actually configuring the rollout policies for each component.
Security Intelligence Updates
Security Intelligence Updates are normally updated multiple times a day. These updates contain new and updated malware detections to cover the latest threats and to constantly tweak detection logic, enhancing the ability of Microsoft Defender Antivirus to accurately identify threats.
Engine Updates
Engine Updates are normally delivered monthly. These updates contain enhancements of the detection engine used by Microsoft Defender for Endpoint.
Platform Updates
Platform Updates are also delivered monthly. These updates are used to deliver new versions of the product itself (Microsoft Defender for Endpoint) and may contain new features.
How to manage Microsoft Defender for Endpoint updates
Microsoft Defender for Endpoint Updates can be managed via Group Policy Objects or Microsoft Intune. I will focus on update management via Microsoft Intune, but the same settings can be found also in Group Policies.
In the Microsoft Intune admin center, go to Endpoint Security – Antivirus and create a new policy here.
Platform is Windows 10, Windows 11, and Windows Server. Profile is Defender Update Controls.
Give the policy some name. On the Configuration settings page, choose your desired Microsoft Defender for Endpoint update rollout settings.
If you select Not configured, this means that gradual rollout will be disabled and all devices will receive updates at the same time within the Broad Channel. This is not recommended because it means that if there is a problem in an update, it will cause a problem globally on all devices.
If you select Not configured (Default), this means that the settings are the default, meaning that devices will receive updates gradually across the organization. Devices will be split into Preview Channel and Staged Channel. However, you cannot control which devices will be in which channel. This option behaves the same as having no Microsoft Defender for Endpoint update management policy active.
It is very important to know the difference between Not configured and Not configured (Default). Both look very similar at first glance, but the behavior is fundamentally different, see the previous two paragraphs.
The rest of the options are quite simple and self-descriptive.
How to split devices between the update channels
The Beta Channel should only be used for testing devices. There should be no production devices in this channel.
The Preview Channel should be used for about 10% of production devices, preferably devices used by some experienced or at least knowledgeable users from whom you can possibly get feedback in case of unexpected problems. Servers don’t usually belong in this channel, only pre-production servers.
The Staged Channel is the channel most installations should be in. This is where the remaining 90% of client machines and most of the regular servers should be. This channel should be your main update channel.
The Broad Channel is usually only used for core infrastructure servers. Possibly user devices that can’t afford any problems. This channel is not normally used for classic user devices.
The last channel is called Critical – Time delay. This channel has a 48 hour delay in updates and is therefore not suitable for any conventional devices with internet access. It is usually only used for specific, mission critical devices.
