Share via

Offline Window Defender updates using MECM Endpoint Protection

Rob 0 Reputation points
2025-12-03T08:16:10.4033333+00:00

Context: We are setting up Microsoft Defender Antivirus for endpoints in an offline environment using MECM Endpoint Protection policies. Policies are successfully deployed and verified on endpoints via PowerShell (Get-MpPreference).

Issue: We need to update AV signatures from a UNC file share.

  • Initially, we placed mpam-fe.exe (downloaded from Microsoft) in the UNC path with the recommended folder structure (\\WindowsDefender\x64) and correct permissions.
  • After reading that Defender does not recognize .exe for UNC updates, we tried extracting .vdm files and placing them in the folder. Still no success.
  • We haven’t yet tried .cab files because we cannot find the latest signature updates in CAB format from Microsoft.

Current workaround: Considering creating a scheduled task in MECM to run mpam-fe.exe from the UNC path daily after updating the share. This feels clunky—surely there’s a better way to update AV in offline environments?

Question: What is the recommended approach for offline Defender signature updates via UNC in MECM-managed environments? Should we use CAB files, and if so, where can we reliably download them? Any best practices or official guidance would be greatly appreciated.

Thanks in advance!

Microsoft Security | Microsoft Defender | Other
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Q&A Assist
    2025-12-03T08:16:23.5333333+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    To update Microsoft Defender Antivirus signatures in an offline environment using MECM (Microsoft Endpoint Configuration Manager) and a UNC file share, the recommended approach is to utilize the CAB files for signature updates. Here are the steps and best practices:

    1. Use CAB Files for Updates: Microsoft Defender Antivirus can utilize CAB files for signature updates. These files are specifically designed for offline environments and are recognized by Defender.
    2. Downloading CAB Files: You can find the latest signature updates in CAB format from the Microsoft Malware Protection Center. However, if you are unable to locate them directly, you might need to check the official Microsoft documentation or support channels for guidance on where to download the latest updates.
    3. Folder Structure: Ensure that the CAB files are placed in the correct folder structure on your UNC share. The folder structure should be similar to:
      • \WindowsDefender\x64 for 64-bit systems
      • \WindowsDefender\x86 for 32-bit systems
    4. Permissions: Make sure that the UNC share has the correct permissions set, allowing the necessary access for the endpoints to read the files.
    5. Scheduled Tasks: While creating a scheduled task to run mpam-fe.exe is a workaround, it is advisable to automate the process of placing the CAB files in the UNC share and ensuring that Defender picks them up without manual intervention.
    6. MECM Configuration: In MECM, ensure that the policies are configured to point to the UNC path for signature updates. This will allow the endpoints to retrieve the updates from the specified location automatically.

    By following these steps, you should be able to effectively manage offline updates for Microsoft Defender Antivirus in your MECM-managed environment.

    References:

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.