Edit

Manage event-based forced updates

  • Article

Applies to:

Platforms

  • Windows

Microsoft Defender Antivirus allows you to determine if updates should (or shouldn't) occur after certain events, such as at startup or after receiving specific reports from the cloud-delivered protection service.

Check for protection updates before running a scan

You can use Microsoft Defender for Endpoint Security Settings Management, Microsoft Intune, Microsoft Configuration Manager, Group Policy, PowerShell cmdlets, and WMI to force Microsoft Defender Antivirus to check and download protection updates before running a scheduled scan.

Use Microsoft Defender for Endpoint Security Settings Management to check for protection updates before running a scan

  1. On your Microsoft Defender for Endpoint console (https://security.microsoft.com), go to Endpoints > Configuration management > Endpoint security policies > Create new policy.

    • In the Platform list, select Windows 10, Windows 11, and Windows Server.
    • In the Select Templates list, select Microsoft Defender Antivirus.

  2. Fill in the name and description, and then select Next>

  3. Go to the Scheduled scans section and set Check For Signatures Before Running Scan to Enabled.

  4. Deploy the updated policy as usual.

Use Microsoft Intune to check for protection updates before running a scan

  1. In the Microsoft Intune admin center, go to Endpoints > Configuration management > Endpoint security policies, and then select Create new policy.

    • In the Platform list, select Windows 10, Windows 11, and Windows Server.
    • In the Select Templates list, select Microsoft Defender Antivirus.

  2. Fill in the name and description, and then select Next.

  3. Go to the Scheduled scans section, and set Check For Signatures Before Running Scan to Enabled.

  4. Save and deploy the policy.

Use Configuration Manager to check for protection updates before running a scan

  1. On your Microsoft Configuration Manager console, open the antimalware policy you want to change (select Assets and Compliance in the navigation pane, then expand the tree to Overview > Endpoint Protection > Antimalware Policies).

  2. Go to the Scheduled scans section and set Check for the latest security intelligence updates before running a scan to Yes.

  3. Select OK.

  4. Deploy the updated policy as usual.

Use Group Policy to check for protection updates before running a scan

  1. On your Group Policy management machine, open the Group Policy Management Console.

  2. Right-click the Group Policy Object you want to configure, and then select Edit.

  3. Using the Group Policy Management Editor go to Computer configuration.

  4. Select Policies then Administrative templates.

  5. Expand the tree to Windows components > Microsoft Defender Antivirus > Scan.

  6. Double-click Check for the latest virus and spyware definitions before running a scheduled scan and set the option to Enabled.

  7. Select OK.

Use PowerShell cmdlets to check for protection updates before running a scan

Use the following cmdlets:

Set-MpPreference -CheckForSignaturesBeforeRunningScan

For more information, see Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus and Defender Antivirus cmdlets.

Use Windows Management Instruction (WMI) to check for protection updates before running a scan

Use the Set method of the MSFT_MpPreference class for the following properties:

CheckForSignaturesBeforeRunningScan

For more information, see Windows Defender WMIv2 APIs.

Check for protection updates on startup

You can use Group Policy to force Microsoft Defender Antivirus to check and download protection updates when the machine is started.

  1. On your Group Policy management computer, open the Group Policy Management Console, right-click the Group Policy Object you want to configure and select Edit.

  2. Using the Group Policy Management Editor go to Computer configuration.

  3. Select Policies then Administrative templates.

  4. Expand the tree to Windows components > Microsoft Defender Antivirus > Security Intelligence Updates.

  5. Double-click Check for the latest virus and spyware definitions on startup and set the option to Enabled.

  6. Select OK.

You can also use Group Policy, PowerShell, or WMI to configure Microsoft Defender Antivirus to check for updates at startup even when it isn't running.

Use Group Policy to download updates when Microsoft Defender Antivirus is not present

  1. On your Group Policy management machine, open the Group Policy Management Console, right-click the Group Policy Object you want to configure and select Edit.

  2. Using the Group Policy Management Editor, go to Computer configuration.

  3. Select Policies then Administrative templates.

  4. Expand the tree to Windows components > Microsoft Defender Antivirus > Security Intelligence Updates.

  5. Double-click Initiate security intelligence update on startup and set the option to Enabled.

  6. Select OK.

Use PowerShell cmdlets to download updates when Microsoft Defender Antivirus is not present

Use the following cmdlets:

Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine

For more information, see Use PowerShell cmdlets to manage Microsoft Defender Antivirus and Defender Antivirus cmdlets for more information on how to use PowerShell with Microsoft Defender Antivirus.

Use Windows Management Instruction (WMI) to download updates when Microsoft Defender Antivirus is not present

Use the Set method of the MSFT_MpPreference class for the following properties:

SignatureDisableUpdateOnStartupWithoutEngine

For more information, see Windows Defender WMIv2 APIs.

Allow ad hoc changes to protection based on cloud-delivered protection

Microsoft Defender Antivirus can make changes to its protection based on cloud-delivered protection. Such changes can occur outside of normal or scheduled protection updates.

If you have enabled cloud-delivered protection, Microsoft Defender Antivirus sends files it's suspicious about to the Windows Defender cloud. If the cloud service reports that the file is malicious, and the file is detected in a recent protection update, you can use Group Policy to configure Microsoft Defender Antivirus to automatically receive that protection update. Other important protection updates can also be applied.

Use Group Policy to automatically download recent updates based on cloud-delivered protection

  1. On your Group Policy management machine, open the Group Policy Management Console, right-click the Group Policy Object you want to configure and select Edit.

  2. Using the Group Policy Management Editor go to Computer configuration.

  3. Select Policies then Administrative templates.

  4. Expand the tree to Windows components > Microsoft Defender Antivirus > Security Intelligence Updates.

  5. Double-click Allow real-time security intelligence updates based on reports to Microsoft MAPS and set the option to Enabled. Then select OK.

  6. Allow notifications to disable definitions-based reports to Microsoft MAPS and set the option to Enabled. Then select OK.

Note

Allow notifications to disable definitions based reports enables Microsoft MAPS to disable those definitions known to cause false-positive reports. You must configure your computer to join Microsoft MAPS for this function to work.

Tip

If you're looking for Antivirus related information for other platforms, see:

See also

Tip

Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.