I have never done this before, but your question made me curious and I started doing some testing. I was able to reproduce your issue. It's clear that not many people do this, because there is zero coherent information on the internet about how to do this. So, it's no surprise you're getting nowhere.
So, here is what I discovered while using Process Monitor. I was able to successfully get Defender to update from a file source.
- First, the update packages consist of three files:
mpam-fe.exe,mpam-d.exe, andnis_full.exe. I tried using justmpam-fe.exeand it failed. - Second, there are 32-bit and 64-bit versions of updates. When you runthe
Update-MPSignaturecommand it expects to find the updates underthex64orx86folder in your source path. So, you need to createthe additional folders under your source path and place the updatefiles in there. - Third, the process that updates Windows Defender is wmiprvse.exe(WMI) - it runs as Local System. Be aware that the connection is madeto the file source using the computer account and not a user account.I tried several different things to try to get it to connect to afile share on a domain joined server. This included adding thecomputer account,
domain computers,Everyone, andAnonymous.Nothing worked. It failed every time with Access Denied. I was onlyable to get it to work when I put the files on my NAS which has zerosecurity restrictions.
Here's a script that can assist with downloading the update packages: https://www.powershellgallery.com/packages/SignatureDownloadCustomTask/1.4
Here are other references I used to get this to work:https://technet.microsoft.com/en-us/itpro/powershell/windows/defender/update-mpsignature?f=255&MSPPError=-2147217396
https://technet.microsoft.com/en-us/itpro/powershell/windows/defender/set-mppreference