Summary

The purpose of this document is to provide guidance on deployment rings for Defender for Endpoint. This document will cover Intune, GPO, Configuration Manage/WSUS. Additional information covered will include Linux and MacOS.

Ring Information

This won't be like most of my documents as it will depend greatly on each environment. Please note that not all the channels are available for each Defender Update Feature:

Beta

This is for insider preview so I would imagine most customers won't be using this. If you have engineers that would be testing new features this is where we would put them.

Current Channel (Preview)

First let's discuss the different ring options. Most customers will use Current Channel (Preview) for your pre-production environments and/or IT department devices.

Current Channel (Staged)

Current Channel (Staged) is recommended for users on the floor that would provide valuable feedback. A person per department would be helpful and recommended.

• Valuable feedback: System is running slow after updates; my RAM is at XX% and is not going down. I can see the Defender service is running high.
• Nonvaluable feedback: My system is slow, please fix.

Current Channel (Broad)

This is going to be the majority of your environment.

Critical

These would be systems or users that you see as critical to your environment. Examples of these would be health care systems, banking systems, and anything else you might classify as critical in your environment.

Windows Deployment

Once you figured out what channels you are going to use then we have to deploy them.

---

• Intune - I would strongly encourage using the Defender Update Controls under Endpoint Security > Antivirus. This will allow you to create Entra Groups that you can place user/devices in the groups for each defined ring.

---

• Group Policy Object (GPO) - You will need to download the latest Windows Defender .admx and .adml and install them on your Domain Controller.

1. WindowsDefender.admx
2. WindowsDefender.adml

You will need to open the Group Policy Object and navigate to Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus. There are three settings you need to configure.

1. Select the channel for Microsoft Defender daily security intelligence updates
2. Select the channel for Microsoft Defender monthly engine updates
3. Select the channel for Microsoft Defender monthly platform updates

You will need to do this for each ring you plan to deploy.

---

• Configuration Manager/WSUS - If you are already using these applications or similar ones, then you are already set in the ring deployment method most likely. If you follow the guidance above, then you will get the updates rolled out in a staged deployment. The only other guidance I would recommend is checking to make sure that your Software Update Point/WSUS has the following enabled to download the updates.

Linux Deployment

This one is probably the easiest. Microsoft has a Repository for all its updates and versions of Linux we support. When you point to the repository, you can select the folder you want to download and configure per Linux Device. You can configure cron jobs and set timers accordingly per linux device. For information on setting up the cron jobs please see - Schedule an update of the Microsoft Defender for Endpoint (Linux)

This is probably the closest I could come to ring mapping for Linux:

• Insider_fast = Channel (UAT)
• Insider_slow = Channel (DEV)
• Prod = Current Channel (Broad)

MacOS Deployment

For MacOS we need to configure the plist for each group. This can be done via Intune, JAMF, or whatever tool you are using to push the configuration. The plist must include ChannelName with a string value of one of the following:

• Beta Channel
• Current Channel (Preview)
• Current Channel

Microsoft has documented examples of the plist file here.

Validation

Now we need to validate all the endpoints are working as configured and in the correct rings. We could go to each device, but it's much quicker to do it from Advance Hunting query. As you can see from the image below the query captures Active devices, last time they were updated, what version everything is, and their assigned rings. You can get a copy of the KQL from here.

References

Microsoft Latest Antimalware Changes: Antimalware updates change log - Microsoft Security Intelligence

Microsoft Latest updates: Latest security intelligence updates for Microsoft Defender Antivirus and other Microsoft antimalware - Microsoft Security Intelligence

Rings:

• Microsoft Defender Antivirus ring deployment guide overview - Microsoft Defender for Endpoint | Microsoft Learn
• Manage the gradual rollout process for Microsoft Defender updates - Microsoft Defender for Endpoint | Microsoft Learn

CSP Ring Value: Defender CSP | Microsoft Learn

Safe Deployment Practices: Microsoft Defender for Endpoint’s Safe Deployment Practices

Linux Respository: https://packages.microsoft.com/

MacOS: Deploy updates for Microsoft Defender for Endpoint on Mac - Microsoft Defender for Endpoint | Microsoft Learn