Mobile devices and VMs may require more configuration to ensure performance is not impacted by updates.
There are two settings that are useful for these devices:
- Opt in to Microsoft Update on mobile computers without a WSUS connection
- Prevent Security intelligence updates when running on battery power
The following articles may also be useful in these situations:
- Configuring scheduled and catch-up scans
- Manage updates for endpoints that are out of date
- Deployment guide for Microsoft Defender Antivirus in a virtual desktop infrastructure (VDI) environment
Opt in to Microsoft Update on mobile computers without a WSUS connection
You can use Microsoft Update to keep Security intelligence on mobile devices running Microsoft Defender Antivirus up to date when they are not connected to the corporate network or don’t otherwise have a WSUS connection.
This means that protection updates can be delivered to devices (via Microsoft Update) even if you have set WSUS to override Microsoft Update.
You can opt in to Microsoft Update on the mobile device in one of the following ways:
- Change the setting with Group Policy.
- Use a VBScript to create a script, then run it on each computer in your network.
- Manually opt in every computer on your network through the Settings menu.
Use Group Policy to opt in to Microsoft Update
- On your Group Policy management machine, open the Group Policy Management Console, right-click the Group Policy Object you want to configure and select Edit.
- In the Group Policy Management Editor go to Computer configuration.
- Select Policies then Administrative templates.
- Expand the tree to Windows components > Microsoft Defender Antivirus > Signature Updates.
- Set Allow security intelligence updates from Microsoft Update to Enabled, and then select OK.
Use a VBScript to opt in to Microsoft Update
- Use the instructions in the MSDN article Opt-In to Microsoft Update to create the VBScript.
- Run the VBScript you created on each computer in your network.
Manually opt in to Microsoft Update
- Open Windows Update in Update & security settings on the computer you want to opt in.
- Select Advanced options.
- Select the checkbox for Give me updates for other Microsoft products when I update Windows.
Prevent Security intelligence updates when running on battery power
You can configure Microsoft Defender Antivirus to only download protection updates when the PC is connected to a wired power source.
Use Group Policy to prevent security intelligence updates on battery power
- On your Group Policy management machine, open the Group Policy Management Console, choose the Group Policy Object you want to configure, and open it for editing.
- In the Group Policy Management Editor go to Computer configuration.
- Select Policies then Administrative templates.
- Expand the tree to Windows components > Microsoft Defender Antivirus > Signature Updates, and then set Allow security intelligence updates when running on battery power to Disabled. Then select OK.
This action prevents protection updates from downloading when the PC is on battery power.