MicrosoftDocs
diff --git a/‎defender-endpoint/deployment-vdi-microsoft-defender-antivirus.md‎
Lines changed: 54 additions & 30 deletions b/‎defender-endpoint/deployment-vdi-microsoft-defender-antivirus.md‎
Lines changed: 54 additions & 30 deletions
diff --git a/‎defender-endpoint/manage-protection-updates-microsoft-defender-antivirus.md‎
Lines changed: 25 additions & 25 deletions b/‎defender-endpoint/manage-protection-updates-microsoft-defender-antivirus.md‎
Lines changed: 25 additions & 25 deletions
@@ -2,7 +2,7 @@
 title: Configure Microsoft Defender Antivirus on a remote desktop or virtual desktop infrastructure environment
 description: Get an overview of how to configure Microsoft Defender Antivirus in a remote desktop or non-persistent virtual desktop environment.
 ms.localizationpriority: medium
-ms.date: 08/22/2023
+ms.date: 09/27/2024
 ms.topic: conceptual
 author: denisebmsft
 ms.author: deniseb
@@ -51,12 +51,31 @@ This guide describes how to configure Microsoft Defender Antivirus on your VMs f
 
 ## Set up a dedicated VDI file share for security intelligence
 
-In Windows 10, version 1903, Microsoft introduced the shared security intelligence feature, which offloads the unpackaging of downloaded security intelligence updates onto a host machine. This method reduces the usage of CPU, disk, and memory resources on individual machines. Shared security intelligence now works on Windows 10, version 1703 and later. You can set up this capability by using Group Policy or PowerShell, as described in the following table:
+In Windows 10, version 1903, Microsoft introduced the shared security intelligence feature, which offloads the unpackaging of downloaded security intelligence updates onto a host machine. This method reduces the usage of CPU, disk, and memory resources on individual machines. Shared security intelligence now works on Windows 10, version 1703 and later. You can set up this capability by using Group Policy or PowerShell.
 
-|Method  | Procedure  |
-|---------|---------|
-| Group Policy | 1. On your Group Policy management computer, open the Group Policy Management Console, right-click the Group Policy Object you want to configure, and then select **Edit**.<br/><br/>2. In the Group Policy Management Editor, go to **Computer configuration**.<br/><br/>Select **Administrative templates**.<br/><br/>Expand the tree to **Windows components** \> **Microsoft Defender Antivirus** \> **Security Intelligence Updates**.<br/><br/>3. Double-click **Define security intelligence location for VDI clients**, and then set the option to **Enabled**. A field automatically appears.<br/><br/>4. Enter `\\<sharedlocation\>\wdav-update` (for help with this value, see [Download and unpackage](#download-and-unpackage-the-latest-updates)).<br/><br/>5. Select **OK**.<br/><br/>Deploy the GPO to the VMs you want to test. |
-| PowerShell | 1. On each RDS or VDI device, use the following cmdlet to enable the feature: `Set-MpPreference -SharedSignaturesPath \\<shared location>\wdav-update`. <br/><br/>2. Push the update as you normally would push PowerShell-based configuration policies onto your VMs. (See the [Download and unpackage](#download-and-unpackage-the-latest-updates) section the \<shared location\> entry.) |
+### Group Policy
+
+1. On your Group Policy management computer, open the Group Policy Management Console, right-click the Group Policy Object you want to configure, and then select **Edit**.
+
+2. In the Group Policy Management Editor, go to **Computer configuration**.
+
+3. Select **Administrative templates**. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Security Intelligence Updates**.
+
+4. Double-click **Define security intelligence location for VDI clients**, and then set the option to **Enabled**. 
+
+   A field automatically appears.
+
+5. Enter `\\<Windows File Server shared location\>\wdav-update` (for help with this value, see [Download and unpackage](#download-and-unpackage-the-latest-updates)).
+
+6. Select **OK**, and then deploy the GPO to the VMs you want to test.
+
+### PowerShell
+
+1. On each RDS or VDI device, use the following cmdlet to enable the feature: 
+
+   `Set-MpPreference -SharedSignaturesPath \\<Windows File Server shared location>\wdav-update`
+   
+2. Push the update as you normally would push PowerShell-based configuration policies onto your VMs. (See the [Download and unpackage](#download-and-unpackage-the-latest-updates) section in this article. Look for the *shared location* entry.) 
 
 ## Download and unpackage the latest updates
 
@@ -75,54 +94,59 @@ Invoke-WebRequest -Uri 'https://go.microsoft.com/fwlink/?LinkID=121721&arch=x64'
 Start-Process -FilePath $vdmpackage -WorkingDirectory $vdmpath -ArgumentList "/x"
 ```
 
-You can set a scheduled task to run once a day so that whenever the package is downloaded and unpacked then the VMs will receive the new update.
-We suggest starting with once a day, but you should experiment with increasing or decreasing the frequency to understand the impact.
+You can set a scheduled task to run once a day so that whenever the package is downloaded and unpacked then the VMs receive the new update. We suggest starting with once a day, but you should experiment with increasing or decreasing the frequency to understand the impact.
 
 Security intelligence packages are typically published once every three to four hours. Setting a frequency shorter than four hours isn't advisable because it will increase the network overhead on your management machine for no benefit.
 
 You can also set up your single server or machine to fetch the updates on behalf of the VMs at an interval and place them in the file share for consumption.
-This configuration is possible when the devices have the share and read access (NTFS permissions) to the share so they can grab the updates. To set this configuration up, follow these steps:
+This configuration is possible when the devices have the share and read access (NTFS permissions) to the share so they can grab the updates. To set up this configuration, follow these steps:
 
 1. Create an SMB/CIFS file share.
 
- 2. Use the following example to create a file share with the following share permissions.
+2. Use the following example to create a file share with the following share permissions.
 
-    ```PowerShell
-    PS c:\> Get-SmbShareAccess -Name mdatp$
+   ```PowerShell
+   
+   PS c:\> Get-SmbShareAccess -Name mdatp$
 
-    Name   ScopeName AccountName AccessControlType AccessRight
-    ----   --------- ----------- ----------------- -----------
-    mdatp$ *         Everyone    Allow             Read
-    ```
+   Name   ScopeName AccountName AccessControlType AccessRight
+   ----   --------- ----------- ----------------- -----------
+   mdatp$ *         Everyone    Allow             Read
+   
+   ```
 
-    > [!NOTE]
-    > An NTFS permission is added for **Authenticated Users:Read:**.
+   > [!NOTE]
+   > An NTFS permission is added for **Authenticated Users:Read:**.
 
-    For this example, the file share is:
+   For this example, the file share is `\\WindowsFileServer.fqdn\mdatp$\wdav-update`.
+   
+### Set a scheduled task to run the PowerShell script
 
-    `\\fileserver.fqdn\mdatp$\wdav-update`
+1. On the management machine, open the Start menu and type `Task Scheduler`. From the results, Task Scheduler and then select **Create task...** on the side panel.
 
-### Set a scheduled task to run the PowerShell script
+2. Specify the name as `Security intelligence unpacker`. 
+
+3. On the **Trigger** tab, select **New...** > **Daily**, and select **OK**.
 
-1. On the management machine, open the Start menu and type **Task Scheduler**. Open it and select **Create task...** on the side panel.
+4. On the **Actions** tab, select **New...**.
 
-2. Enter the name as **Security intelligence unpacker**. Go to the **Trigger** tab. Select **New...** \> **Daily**, and select **OK**.
+5. Specify `PowerShell` in the **Program/Script** field. 
 
-3. Go to the **Actions** tab. Select **New...** Enter **PowerShell** in the **Program/Script** field. Enter `-ExecutionPolicy Bypass c:\wdav-update\vdmdlunpack.ps1` in the **Add arguments** field. Select **OK**.
+6. In the **Add arguments**  field, type `-ExecutionPolicy Bypass c:\wdav-update\vdmdlunpack.ps1`, and then select **OK**.
 
-4. Configure any other settings as appropriate.
+7. Configure any other settings as appropriate.
 
-5. Select **OK** to save the scheduled task.
+8. Select **OK** to save the scheduled task.
 
-You can initiate the update manually by right-clicking on the task and then selecting **Run**.
+To initiate the update manually, right-click on the task, and then select **Run**.
 
 ### Download and unpackage manually
 
 If you would prefer to do everything manually, here's what to do to replicate the script's behavior:
 
-1. Create a new folder on the system root called `wdav_update` to store intelligence updates, for example, create the folder `c:\wdav_update`.
+1. Create a new folder on the system root called `wdav_update` to store intelligence updates. For example, create the folder `c:\wdav_update`.
 
-2. Create a subfolder under *wdav_update* with a GUID name, such as `{00000000-0000-0000-0000-000000000000}`
+2. Create a subfolder under `wdav_update` with a GUID name, such as `{00000000-0000-0000-0000-000000000000}`
 
    Here's an example: `c:\wdav_update\{00000000-0000-0000-0000-000000000000}`
 
@@ -131,7 +155,7 @@ If you would prefer to do everything manually, here's what to do to replicate th
 
 3. Download a security intelligence package from [https://www.microsoft.com/wdsi/definitions](https://www.microsoft.com/wdsi/definitions)  into the GUID folder. The file should be named `mpam-fe.exe`.
 
-4. Open a cmd prompt window and navigate to the GUID folder you created. Use the **/X** extraction command to extract the files, for example `mpam-fe.exe /X`.
+4. Open a Command Prompt window and navigate to the GUID folder you created. Use the `/X` extraction command to extract the files. For example `mpam-fe.exe /X`.
 
    > [!NOTE]
    > The VMs will pick up the updated package whenever a new GUID folder is created with an extracted update package or whenever an existing folder is updated with a new extracted package.
 
@@ -14,7 +14,7 @@ ms.collection:
 - m365-security
 - tier2
 search.appverid: met150
-ms.date: 09/09/2024
+ms.date: 09/27/2024
 ---
 
 # Manage the sources for Microsoft Defender Antivirus protection updates
@@ -63,15 +63,14 @@ There are five locations where you can specify where an endpoint should obtain u
 - [Security intelligence updates for Microsoft Defender Antivirus and other Microsoft anti-malware](manage-protection-update-schedule-microsoft-defender-antivirus.md) (See note 2 below)
 
 > [!NOTE]
-> 1. Intune Internal Definition Update Server. If you use SCCM/SUP to get definition updates for Microsoft Defender Antivirus, and you must access Windows Update on blocked client devices, you can transition to co-management and offload the endpoint protection workload to Intune. In the antimalware policy configured in Intune there is an "internal definition update server" option that you can set to use on-premises WSUS as the update source. This configuration helps you control which updates from the official WU server are approved for the enterprise, and also helps proxy and save network traffic to the official Windows Updates network.
+> - Intune Internal Definition Update Server. If you use SCCM/SUP to get definition updates for Microsoft Defender Antivirus, and you must access Windows Update on blocked client devices, you can transition to co-management and offload the endpoint protection workload to Intune. In the antimalware policy configured in Intune there is an "internal definition update server" option that you can set to use on-premises WSUS as the update source. This configuration helps you control which updates from the official WU server are approved for the enterprise, and also helps proxy and save network traffic to the official Windows Updates network.
 > 
-> 2. Your policy and registry might have this listed as Microsoft Malware Protection Center (MMPC) security intelligence, its former name.
+> - Your policy and registry might have this listed as Microsoft Malware Protection Center (MMPC) security intelligence, its former name.
 
 To ensure the best level of protection, Microsoft Update allows for rapid releases, which means smaller downloads on a frequent basis. The Windows Server Update Service, Microsoft Endpoint Configuration Manager, Microsoft security intelligence updates, and platform updates sources deliver less frequent updates. Thus, the delta might be larger, resulting in larger downloads.
 
 Platform updates and engine updates are released on a monthly cadence. Security intelligence updates are delivered multiple times a day, but this delta package doesn't contain an engine update. See [Microsoft Defender Antivirus security intelligence and product updates](microsoft-defender-antivirus-updates.md).
 
-
 > [!IMPORTANT]
 > If you have set [Microsoft Security intelligence page](https://www.microsoft.com/security/portal/definitions/adl.aspx) updates as a fallback source after Windows Server Update Service or Microsoft Update, updates are only downloaded from security intelligence updates and platform updates when the current update is considered out-of-date. (By default, this is seven consecutive days of not being able to apply updates from the Windows Server Update Service or Microsoft Update services).
 > You can, however, [set the number of days before protection is reported as out-of-date](manage-outdated-endpoints-microsoft-defender-antivirus.md).<p>
@@ -100,27 +99,30 @@ The procedures in this article first describe how to set the order, and then how
 
 1. In the **Group Policy Management Editor**, go to **Computer configuration**.
 
-1. Select **Policies** then **Administrative templates**.
+2. Select **Policies** then **Administrative templates**.
+
+3. Expand the tree to **Windows components** > **Windows Defender** > **Signature updates**.
 
-1. Expand the tree to **Windows components** > **Windows Defender** > **Signature updates** and then configure the following settings:
+   > [!NOTE]
+   > - For Windows 10, versions 1703 up to and including 1809, the policy path is **Windows Components > Microsoft Defender Antivirus > Signature Updates**
+   > - For Windows 10, version 1903, the policy path is **Windows Components > Microsoft Defender Antivirus > Security Intelligence Updates**
 
-   1. Edit the **Define the order of sources for downloading security intelligence updates** setting. Set the option to **Enabled**.
+4. Edit the **Define the order of sources for downloading security intelligence updates** setting. Set the option to **Enabled**.
 
-   2. Specify the order of sources, separated by a single pipe, for example: `InternalDefinitionUpdateServer|MicrosoftUpdateServer|MMPC`, as shown in the following screenshot.
+5. Specify the order of sources, separated by a single pipe, for example: `InternalDefinitionUpdateServer|MicrosoftUpdateServer|MMPC`, as shown in the following screenshot.
 
-      :::image type="content" source="/defender/media/wdav-order-update-sources.png" alt-text="Group policy setting listing the order of sources" lightbox="/defender/media/wdav-order-update-sources.png":::
+   :::image type="content" source="/defender/media/wdav-order-update-sources.png" alt-text="Group policy setting listing the order of sources" lightbox="/defender/media/wdav-order-update-sources.png":::
 
-   1. Select **OK**. This action sets the order of protection update sources.
-      
-   1. Edit the **Define file shares for downloading security intelligence updates** setting and then set the option to **Enabled**.
-      
-   1. Specify the file share source. If you have multiple sources, specify each source in the order they should be used, separated by a single pipe. Use [standard UNC notation](/openspecs/windows_protocols/ms-dtyp/62e862f4-2a51-452e-8eeb-dc4ff5ee33cc) for denoting the path, for example: `\\host-name1\share-name\object-name|\\host-name2\share-name\object-name`. If you don't enter any paths, then this source is skipped when the VM downloads updates.
+6. Select **OK**. This action sets the order of protection update sources.
+
+7. Edit the **Define file shares for downloading security intelligence updates** setting and then set the option to **Enabled**.
+
+8. On a Windows Server, specify the file share source. If you have multiple sources, specify each source in the order they should be used, separated by a single pipe. Use [standard UNC notation](/openspecs/windows_protocols/ms-dtyp/62e862f4-2a51-452e-8eeb-dc4ff5ee33cc) for denoting the path. For example: `\\host-name1\share-name\object-name|\\host-name2\share-name\object-name`. 
+
+   If you don't enter any paths, then this source is skipped when the VM downloads updates.
 
-   6. Select **OK**. This action sets the order of file shares when that source is referenced in the **Define the order of sources...** group policy setting.
+9. Select **OK**. This action sets the order of file shares when that source is referenced in the **Define the order of sources...** group policy setting.
 
-> [!NOTE]
-> For Windows 10, versions 1703 up to and including 1809, the policy path is **Windows Components > Microsoft Defender Antivirus > Signature Updates**
-> For Windows 10, version 1903, the policy path is **Windows Components > Microsoft Defender Antivirus > Security Intelligence Updates**
 
 ## Use Configuration Manager to manage the update location
 
@@ -172,18 +174,18 @@ For example, suppose that Contoso has hired Fabrikam to manage their security so
 
 ## Create a UNC share for security intelligence and platform updates
 
-Set up a network file share (UNC/mapped drive) to download security intelligence and platform updates from the MMPC site by using a scheduled task.
+On a Windows Server set up a network file share (UNC/mapped drive) to download security intelligence and platform updates from the MMPC site by using a scheduled task.
 
 1. On the system for which you want to provision the share and download the updates, create a folder for the script.
 
-    ```console
+    ```cmd
     Start, CMD (Run as admin)
     MD C:\Tool\PS-Scripts\
     ```
 
 2. Create a folder for signature updates.
 
-    ```console
+    ```cmd
     MD C:\Temp\TempSigs\x64
     MD C:\Temp\TempSigs\x86
     ```
@@ -253,7 +255,7 @@ Set up a network file share (UNC/mapped drive) to download security intelligence
 
    If the scheduled task fails, run the following commands:
 
-    ```console
+   ```powershell
     C:\windows\system32\windowspowershell\v1.0\powershell.exe -NoProfile -executionpolicy allsigned -command "&\"C:\Tool\PS-Scripts\SignatureDownloadCustomTask.ps1\" -action run -arch x64 -isDelta $False -destDir C:\Temp\TempSigs\x64"
 
     C:\windows\system32\windowspowershell\v1.0\powershell.exe -NoProfile -executionpolicy allsigned -command "&\"C:\Tool\PS-Scripts\SignatureDownloadCustomTask.ps1\" -action run -arch x64 -isDelta $True -destDir C:\Temp\TempSigs\x64"
@@ -271,9 +273,7 @@ Set up a network file share (UNC/mapped drive) to download security intelligence
 11. Set the share location in the policy to the share.
 
     > [!NOTE]
-    > Do not add the x64 (or x86) folder in the path. The mpcmdrun.exe process adds it automatically.
-
-
+    > Do not add the x64 (or x86) folder in the path. The `mpcmdrun.exe` process adds it automatically.
 
 ## Related articles