Manage Microsoft Defender Antivirus updates and apply baselines

Important

Welcome to Microsoft Defender for Endpoint, the new name for Microsoft Defender Advanced Threat Protection. Read more about this and other updates here. We'll be updating names in products and in the docs in the near future.

Applies to:

There are two types of updates related to keeping Microsoft Defender Antivirus up to date:

  • Security intelligence updates
  • Product updates

Important

Keeping Microsoft Defender Antivirus up to date is critical to assure your devices have the latest technology and features needed to protect against new malware and attack techniques.
This also applies to devices where Microsoft Defender Antivirus is running in passive mode.

You can use the below URL to find out what are the current versions: https://www.microsoft.com/security/encyclopedia/adlpackages.aspx?action=info

Security intelligence updates

Microsoft Defender Antivirus uses cloud-delivered protection (also called the Microsoft Advanced Protection Service or MAPS) and periodically downloads security intelligence updates to provide protection.

Note

Updates are released under the below KB numbers:
Microsoft Defender Antivirus: KB2267602
System Center Endpoint Protection: KB2461484

Cloud-delivered protection is always on and requires an active connection to the Internet to function. Security intelligence updates occur on a scheduled cadence (configurable via policy). For more information, see Use Microsoft cloud-provided protection in Microsoft Defender Antivirus.

Engine updates are included with security intelligence updates and are released on a monthly cadence.

Product updates

Microsoft Defender Antivirus requires monthly updates (KB4052623) (known as platform updates), and will receive major feature updates alongside Windows 10 releases.

You can manage the distribution of updates through one of the following methods:

For more information, see Manage the sources for Microsoft Defender Antivirus protection updates.

Note

We release these monthly updates in phases. This results in multiple packages visible in your WSUS server.

Monthly platform and engine versions

For information how to update or how to install the platform update, see Update for Windows Defender antimalware platform.

All our updates contain

  • performance improvements;
  • serviceability improvements; and
  • integration improvements (Cloud, Microsoft 365 Defender).
October-2020 (Platform: 4.18.2010.7 | Engine: 1.1.17600.5)

 Security intelligence update version: 1.327.7.0
 Released: October 29, 2020
 Platform: 4.18.2010.7
 Engine: 1.1.17600.5
 Support phase: Security and Critical Updates

What's new

  • New descriptions for special threat categories
  • Improved emulation capabilities
  • Improved host address allow/block capabilities
  • New option in Defender CSP to Ignore merging of local user exclusions

Known Issues

No known issues

September-2020 (Platform: 4.18.2009.7 | Engine: 1.1.17500.4)

 Security intelligence update version: 1.325.10.0
 Released: October 01, 2020
 Platform: 4.18.2009.7
 Engine: 1.1.17500.4
 Support phase: Security and Critical Updates

What's new

  • Admin permissions are required to restore files in quarantine
  • XML formatted events are now supported
  • CSP support for ignoring exclusion merges
  • New management interfaces for:
    • UDP Inspection
    • Network Protection on Server 2019
    • IP Address exclusions for Network Protection
  • Improved visibility into TPM measurements
  • Improved Office VBA module scanning

Known Issues

No known issues

August-2020 (Platform: 4.18.2008.9 | Engine: 1.1.17400.5)

 Security intelligence update version: 1.323.9.0
 Released: August 27, 2020
 Platform: 4.18.2008.9
 Engine: 1.1.17400.5
 Support phase: Security and Critical Updates

What's new

  • Add more telemetry events
  • Improved scan event telemetry
  • Improved behavior monitoring for memory scans
  • Improved macro streams scanning
  • Added AMRunningMode to Get-MpComputerStatus PowerShell cmdlet
  • DisableAntiSpyware is ignored. Microsoft Defender Antivirus automatically turns itself off when it detects another antivirus program.

Known Issues

No known issues

July-2020 (Platform: 4.18.2007.8 | Engine: 1.1.17300.4)

 Security intelligence update version: 1.321.30.0
 Released: July 28, 2020
 Platform: 4.18.2007.8
 Engine: 1.1.17300.4
 Support phase: Security and Critical Updates

What's new

  • Improved telemetry for BITS
  • Improved Authenticode code signing certificate validation

Known Issues

No known issues

June-2020 (Platform: 4.18.2006.10 | Engine: 1.1.17200.2)

 Security intelligence update version: 1.319.20.0
 Released: June 22, 2020
 Platform: 4.18.2006.10
 Engine: 1.1.17200.2
 Support phase: Technical upgrade Support (Only)

What's new

  • Possibility to specify the location of the support logs
  • Skipping aggressive catchup scan in Passive mode.
  • Allow Defender to update on metered connections
  • Fixed performance tuning when caching is disabled
  • Fixed registry query
  • Fixed scantime randomization in ADMX

Known Issues

No known issues

May-2020 (Platform: 4.18.2005.4 | Engine: 1.1.17100.2)

 Security intelligence update version: 1.317.20.0
 Released: May 26, 2020
 Platform: 4.18.2005.4
 Engine: 1.1.17100.2
 Support phase: Technical upgrade Support (Only)

What's new

  • Improved logging for scan events
  • Improved user mode crash handling.
  • Added event tracing for Tamper protection
  • Fixed AMSI Sample submission
  • Fixed AMSI Cloud blocking
  • Fixed Security update install log

Known Issues

No known issues

April-2020 (Platform: 4.18.2004.6 | Engine: 1.1.17000.2)

 Security intelligence update version: 1.315.12.0
 Released: April 30, 2020
 Platform: 4.18.2004.6
 Engine: 1.1.17000.2
 Support phase: Technical upgrade Support (Only)

What's new

  • WDfilter improvements
  • Add more actionable event data to attack surface reduction detection events
  • Fixed version information in diagnostic data and WMI
  • Fixed incorrect platform version in UI after platform update
  • Dynamic URL intel for Fileless threat protection
  • UEFI scan capability
  • Extend logging for updates

Known Issues

No known issues

March-2020 (Platform: 4.18.2003.8 | Engine: 1.1.16900.2)

 Security intelligence update version: 1.313.8.0
 Released: March 24, 2020
 Platform: 4.18.2003.8
 Engine: 1.1.16900.4
 Support phase: Technical upgrade Support (Only)

What's new

  • CPU Throttling option added to MpCmdRun
  • Improve diagnostic capability
  • reduce Security intelligence timeout (5 min)
  • Extend AMSI engine internal log capability
  • Improve notification for process blocking

Known Issues

[Fixed] Microsoft Defender Antivirus is skipping files when running a scan.


February-2020 (Platform: - | Engine: 1.1.16800.2)

Security intelligence update version: 1.311.4.0
Released: February 25, 2020
Platform/Client: -
Engine: 1.1.16800.2
Support phase: N/A

What's new

Known Issues

No known issues

January-2020 (Platform: 4.18.2001.10 | Engine: 1.1.16700.2)

Security intelligence update version: 1.309.32.0
Released: January 30, 2020
Platform/Client: 4.18.2001.10
Engine: 1.1.16700.2
Support phase: Technical upgrade Support (Only)

What's new

  • Fixed BSOD on WS2016 with Exchange
  • Support platform updates when TMP is redirected to network path
  • Platform and engine versions are added to WDSI
  • extend Emergency signature update to passive mode
  • Fix 4.18.1911.3 hang

Known Issues

[Fixed] devices utilizing modern standby mode may experience a hang with the Windows Defender filter driver that results in a gap of protection. Affected machines appear to the customer as having not updated to the latest antimalware platform.

Important

This updates is needed by RS1 devices running lower version of the platform to support SHA2.
This update has reboot flag for systems that are experiencing the hang issue.
the This update is re-released in April 2020 and will not be superseded by newer updates to keep future availability.

Important

This update is categorized as an "update" due to its reboot requirement and will only be offered with a Windows Update

 November-2019 (Platform: 4.18.1911.3 | Engine: 1.1.16600.7)

Security intelligence update version: 1.307.13.0
Released: December 7, 2019
Platform: 4.18.1911.3
Engine: 1.1.17000.7
Support phase: No support

What's new

  • Fixed MpCmdRun tracing level
  • Fixed WDFilter version info
  • Improve notifications (PUA)
  • add MRT logs to support files

Known Issues

When this update is installed, the device needs the jump package 4.10.2001.10 to be able to update to the latest platform version.

Microsoft Defender Antivirus platform support

Platform and engine updates are provided on a monthly cadence. To be fully supported, keep current with the latest platform updates. Our support structure is dynamic, evolving into two phases depending on the availability of the latest platform version:

  • Security and Critical Updates servicing phase - When running the latest platform version, you will be eligible to receive both Security and Critical updates to the anti-malware platform.

  • Technical Support (Only) phase - After a new platform version is released, support for older versions (N-2) will reduce to technical support only. Platform versions older than N-2 will no longer be supported.*

* Technical support will continue to be provided for upgrades from the Windows 10 release version (see Platform version included with Windows 10 releases) to the latest platform version.

During the technical support (only) phase, commercially reasonable support incidents will be provided through Microsoft Customer Service & Support and Microsoft’s managed support offerings (such as Premier Support). If a support incident requires escalation to development for further guidance, requires a non-security update, or requires a security update, customers will be asked to upgrade to the latest platform version or an intermediate update (*).

Platform version included with Windows 10 releases

The below table provides the Microsoft Defender Antivirus platform and engine versions that are shipped with the latest Windows 10 releases:

Windows 10 release Platform version Engine version Support phase
2004 (20H1) 4.18.2004.6 1.1.17000.2 Technical upgrade Support (Only)
1909 (19H2) 4.18.1902.5 1.1.16700.3 Technical upgrade Support (Only)
1903 (19H1) 4.18.1902.5 1.1.15600.4 Technical upgrade Support (Only)
1809 (RS5) 4.18.1807.18075 1.1.15000.2 Technical upgrade Support (Only)
1803 (RS4) 4.13.17134.1 1.1.14600.4 Technical upgrade Support (Only)
1709 (RS3) 4.12.16299.15 1.1.14104.0 Technical upgrade Support (Only)
1703 (RS2) 4.11.15603.2 1.1.13504.0 Technical upgrade Support (Only)
1607 (RS1) 4.10.14393.3683 1.1.12805.0 Technical upgrade Support (Only)

Windows 10 release info: Windows lifecycle fact sheet.

See also

Article Description
Manage how protection updates are downloaded and applied Protection updates can be delivered through a number of sources.
Manage when protection updates should be downloaded and applied You can schedule when protection updates should be downloaded.
Manage updates for endpoints that are out of date If an endpoint misses an update or scheduled scan, you can force an update or scan the next time a user signs in.
Manage event-based forced updates You can set protection updates to be downloaded at startup or after certain cloud-delivered protection events.
Manage updates for mobile devices and virtual machines (VMs) You can specify settings, such as whether updates should occur on battery power, that are especially useful for mobile devices and virtual machines.