Optimization of Windows Defender Definition Updates Across Multiple Machine Groups

Content Authoring
1

Hello, everyone!

We have a Fixlet to update Windows Defender definitions every 4 hours (configured as a policy with no expiration date):

image
image786×428 16.8 KB

Below is the relevance we used:

(version of client >= "6.0.0.0") AND ((exists true whose (if true then (exists (operating system) whose (it as string as lowercase contains "Win2012" as lowercase)) else false)) OR (exists true whose (if true then (exists (operating system) whose (it as string as lowercase contains "Win2016" as lowercase)) else false)) OR (exists true whose (if true then (exists (operating system) whose (it as string as lowercase contains "Win2019" as lowercase)) else false)) OR (exists true whose (if true then (exists (operating system) whose (it as string as lowercase contains "Win2022" as lowercase)) else false)) OR (exists true whose (if true then (exists (operating system) whose (it as string as lowercase contains "Win8" as lowercase)) else false)) OR (exists true whose (if true then (exists (operating system) whose (it as string as lowercase contains "Win10" as lowercase)) else false)) OR (exists true whose (if true then (exists (operating system) whose (it as string as lowercase contains "Win11" as lowercase)) else false)))

And here is the ActionScript we are using:

begin prefetch block
    // Download the x86 installer
    add nohash prefetch item name=mpam-fe-x86.exe url=https://go.microsoft.com/fwlink/?LinkID=121721&arch=x86

    // Download the x64 installer
    add nohash prefetch item name=mpam-fe-x64.exe url=https://go.microsoft.com/fwlink/?LinkID=121721&arch=x64
end prefetch block

// Check if the OS is 64-bit and run the appropriate installer
if {x64 of operating system}
    wait {download path "mpam-fe-x64.exe"} -q
else
    wait {download path "mpam-fe-x86.exe"} -q

However, we’ve noticed that some machines are not updating as expected. For example, some machines were last updated on 09/26 but should have updated yesterday or today. Most machines are reporting correctly, but the update frequency remains a concern.

We have around 2200 relevant machines, divided into four groups:

  1. 1721 machines
  2. 208 machines
  3. 193 machines
  4. 54 machines

We would appreciate suggestions on how to optimize this policy to ensure that Windows Defender definitions are updated at least once or twice a day, ensuring more effective coverage.

Thank you in advance for your help!

2

The action script appears straightforward and simple to implement. However, since it works for most devices but some machines are experiencing issues, there are a few steps to consider. First, it’s crucial to add more logging and criteria to detect successful updates or failures. This will allow you to track the behavior and root cause of problems on machines that are missing updates or failing to process them.

There are two scenarios here:
Devices Missing Updates: Machines are reporting but not receiving the update.
Devices Not Processing Updates: The update might have been received, but some failure during the process is preventing it from being applied.

These two situations, while related, have different root causes, so they need to be investigated separately. Here’s what I suggest:

  • Modify the action script to add more logging with pass/fail status, which you can use in console in form of RP.

  • For the machines that are not processing updates, try running the solution manually outside of BigFix on one of these devices.

  • Once you’ve identified the local issues, update your script to include logic that accounts for these scenarios.

3

The ‘nohash prefetch’ operation caches the downloaded file on the server & relay, and that same file is provided to any client that tried to download it later. The file is only cached once, when the action is issued. To get updated versions you d have to restart the action.

https://developer.bigfix.com/action-script/reference/download/add-nohash-prefetch-item.html

1 Like
4

Thanks @JasonWalker for pointing that out! :slight_smile:

@beatrizmurta, you might want to consider implementing the solution provided by @SLB in below post.

Windows defender auto virus definition update - Content Authoring - BigFix Forum

5

In alternative, you can use the download or download as statement, that will download the file at the moment of the action execution: https://developer.bigfix.com/action-script/reference/download/download-as.html