Another caveat...
The Defender GUI runs the update download as one of two processes:
- MSascui.exe - which uses the current session account (this one can usually access the file share as most defender update file shares would allow read to all)
- Msmpeng.exe - which uses the NT AUTHORITY/SYSTEM account (this will have the computer name account, which in most domain-based systems will also allow access)
For the Update-MpSignature cmdlet, it's a bit different. It runs the update download as wmiprvse.exe which uses NT AUTHORITY/LOCAL SYSTEM. This account has minimum privileges on the computer and uses anonymous credentials on the network. Generally speaking, most network shares won't be configured for anonymous access, so this is why you can get the GUI to work, but the cmdlet doesn't.
