Updating W10/W11 Defender Platform

I have used the kit. The included PS script looks like it was written by an intern, and filled with sloppy programming.

The script can't be used directly with NTLite, because it wants to DISM mount your image instead of copying Defender platform files to an existing mount directory. I rewrote the script last summer to do that, but can't share it since the original file isn't open sourced.

What's needed is a non-MS script which downloads both the Defender platform and definition updates, and copies them. You want the install image to have the latest protections. Except for the definitions which are generated at least once per day. But having a slightly outdated definition of a week or month old is much better than the ISO version which can be over a year old.

Also you can't apply the new files to multiple images in the same NTLite session.
 
for nuhi and garlin :

Considering that NTLite "mounts" the image to process it, I ask you if it is possible to integrate (in NTLite) that activity set by Microsoft and tending to natively update Windows Defender, and if it is possible to integrate Defender updates as well in terms of engine and definitions...
I tried to do this activity in offline mode but it's extremely complicated.

In my humble opinion, an updated Defender is certainly an important step for those who, like me, still consider Defender a good Antivirus.

Thank you
 
The integration to a mounted image is straightforward, but the real problem is Platform updates are released as self-extracting EXE's.

Because it's designed for local installation, there is no provision to extract to a different path. And obviously if you don't have Defender on the host system, you can't copy the installed files back to the image. You need 7-Zip to solve this.

I don't know if 7z.dll handles SFX formats, and if it doesn't -- whether nuhi wants to bundle 7za.exe.

Platform and definition files are essentially folder distributions, so you can copy them to a mounted folder. But it doesn't help if you want to update Defender across multiple images, since each image pass is independent. I've solved the problem for a single mounted image, but that doesn't apply globally since you must check each image's architecture.

NTLite would need a Defender cache, similar to how it does extracted Updates caching.
 
7-zip library is already in NTLite, no issue in extracting this.
Will check it and report back, been delaying this type of update support for too long, thanks.
 
garlin said:
I have used the kit. The included PS script looks like it was written by an intern, and filled with sloppy programming.
Click to expand...
Given the state of windows in recent years and the fact its only getting worse i'd say that ms is filled with interns who do sloppy programming. I have zero programming skills so cannot say one way or another so i leave that to them who know their onions.
 
Last edited:
2023.7.9367

New

Updates: Defender update integration support (Platform, Engine, Offline pack)
Updates: Defender Platform and Engine updates added to the online update lists
Click to expand...

I don't see any Defender updates listed?
 
For nuhi, garlin
I acquired the Defender updates (Engine and Definition) with NTLITE; ISO prepared;
errdef1.png

Installed the O.S. from ISO but the result of Defender is the original one (it did not acquire the updates during installation).
errdef2.png

Maybe I'm doing something wrong?
 
Those first screenshot defender updates are old, that's not what's in the NTLite's update lists (year 2023), yours looks like the ISO built-in ones.

Can you retry, load the ISO, go to Updates - Add - Latest online updates - confirm it's higher number, at this time as in my screenshot.
clip 04.07_cr_cr.jpg

Also integrated ones have status "Staged", not "Installed", those installed ones will stay duplicate (Windows does it like that, otherwise SFC complains).

Then Apply and see in Security - Settings - About as your second screenshot.

Thanks.
 
nuhi said:
Those first screenshot defender updates are old, that's not what's in the NTLite's update lists (year 2023), yours looks like the ISO built-in ones.
Click to expand...
Those updates are the ones that NTLite proposed to me at 13:40 and clearly they are the integrated ones only because I saved the iso here is the preset part

<Packages>
<File>C:\Program Files\NTLite\Updates\11.22H2.x64\windows11.0-kb5026515-x64-ndp481_4d84d22adb0953d71578b862202994ba9455bd7d.msu</File>
<File>C:\Program Files\NTLite\Updates\11.22H2.x64\windows11.0-kb5028851-x64-ndp481_9a38be0dbeb4686ec47dc3f9e24be8e38718384c.msu</File>
</Packages>

As you can see from the screens I have only those upgrades for 22h2

Snap3.png

while with 23h2 I have nothing.
Snap2.png

I'll try the rest and let you know.
 
23H2 isn't an official release. Therefore it gets nothing listed. If anything, 23H2 is a placeholder until RTM.

I haven't looked at the recent builds, but it's hard to assume 23H2 has an old Defender. Usually the Insider branch will get a newer, unreleased Defender version to test at the same time.
 
clarensio said:
Those updates are the ones that NTLite proposed to me at 13:40 and clearly they are the integrated ones only because I saved the iso here is the preset part

<Packages>
<File>C:\Program Files\NTLite\Updates\11.22H2.x64\windows11.0-kb5026515-x64-ndp481_4d84d22adb0953d71578b862202994ba9455bd7d.msu</File>
<File>C:\Program Files\NTLite\Updates\11.22H2.x64\windows11.0-kb5028851-x64-ndp481_9a38be0dbeb4686ec47dc3f9e24be8e38718384c.msu</File>
</Packages>

As you can see from the screens I have only those upgrades for 22h2
Click to expand...
Those are .NET updates in your preset, not Defender.

OK, glad that it got solved.
 
Sorry nuhi but I'm quite picky when I don't understand.

Tell me if it's okay now:

NTLITE offered me these AV upgrade
upg_av.png

swhich then in the preset have become these? (because in the final preset I have no other indications of loaded updates - sez PackageIt's
pack_upgav.png


correct?

Thank you
 
That is the correct package list.

Defender updates are self-extracting files, they're not component CAB's or MSU's. Just like Dynamic Update, NTLite can only extract them and copy files to the mounted image. After copied to image, there's no real way for NTLite to know which version is installed (except to check the version signatures on individual files).

Like MSRT (which releases every month), every update keeps the same KB number forever.

For the Platform, the hash in the filename will change every time it's released. The Definitions file keeps the same name, and even worse the x86, x64 and ARM versions are all mpam-fe.exe.

How do you know which version is in NTLite's cache? Use sigcheck from Sysinternals.
Code: 
sigcheck updateplatform.amd64fre_aa7e29ece94fbaacd94a7f34896b3f9671a18d18.exe
C:\Users\GARLIN\Downloads\updateplatform.amd64fre_aa7e29ece94fbaacd94a7f34896b3f9671a18d18.exe:
        Verified:       Signed
        Signing date:   9:26 PM 7/17/2023
        Publisher:      Microsoft Windows Publisher
        Company:        Microsoft Corporation
        Description:    AntiMalware Platform Update (amd64fre)
        Product:        Microsoft Malware Protection
        Prod version:   4.18.23050.9
        File version:   4.18.23050.9
        MachineType:    64-bit
 
You must log in or register to reply here.
Back
Top