Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Applies to:
- Microsoft Defender for Endpoint Plans 1 and 2
- Microsoft Defender Antivirus
Platforms
- Windows
Keeping Microsoft Defender Antivirus up to date is critical to assure your devices have the latest technology and features needed to protect against new malware and attack techniques. Update your antivirus protection, even if Microsoft Defender Antivirus is running in passive mode. This article includes information about the two types of updates for keeping Microsoft Defender Antivirus current:
This article also includes:
- Microsoft Defender Antivirus platform support
- How to roll back an update (if necessary)
- Platform version included with Windows 10 releases
- Updates for Deployment Image Servicing and Management (DISM)
To see the most current engine, platform, and signature date, see Security intelligence updates for Microsoft Defender Antivirus and other Microsoft anti-malware.
Tip
As a companion to this article, see our Security Analyzer setup guide to review best practices and learn to fortify defenses, improve compliance, and navigate the cybersecurity landscape with confidence. For a customized experience based on your environment, you can access the Security Analyzer automated setup guide in the Microsoft 365 admin center.
Microsoft Defender Antivirus uses cloud-delivered protection (also called the Microsoft Advanced Protection Service, or MAPS) and periodically downloads dynamic security intelligence updates to provide more protection. These dynamic updates don't take the place of regular security intelligence updates via security intelligence update KB2267602.
Note
Updates are released under the following KBs:
- Microsoft Defender Antivirus: KB2267602
- System Center Endpoint Protection: KB2461484
Cloud-delivered protection is always on and requires an active connection to the Internet to function. Security intelligence updates occur on a scheduled cadence (configurable via policy). For more information, see Use Microsoft cloud-provided protection in Microsoft Defender Antivirus.
For a list of recent security intelligence updates, see Security intelligence updates for Microsoft Defender Antivirus and other Microsoft anti-malware.
Engine updates are included with security intelligence updates and are released on a monthly cadence.
Microsoft Defender Antivirus requires monthly updates (KB4052623) known as platform updates.
You can manage the distribution of updates through one of the following methods:
- Windows Server Update Service (WSUS)
- Microsoft Configuration Manager
- The usual methods you use to deploy Microsoft and Windows updates to endpoints in your network.
For more information, see Manage the sources for Microsoft Defender Antivirus protection updates.
Monthly updates are released in phases, resulting in multiple packages visible in your Window Server Update Services.
This article lists changes that are included in the broad release channel. See the latest broad channel release here.
To learn more about the gradual rollout process, and to see more information about the next release, see Manage the gradual rollout process for Microsoft Defender updates.
To learn more about security intelligence updates, see Security intelligence updates for Microsoft Defender Antivirus and other Microsoft anti-malware.
If you're looking for a list of Microsoft Defender processes, see the spreadsheet provided at Enable access to Microsoft Defender for Endpoint service URLs in the proxy server. The sheet also lists the services and their associated URLs that your network must be able to connect to.
Platform updates can be temporarily postponed if other protection features, such as Endpoint DLP or Device Control are actively monitoring running processes. Platform updates are retried after a reboot or when all monitored services are stopped.
In the Microsoft Endpoint Configuration Manager / Windows Server Update Services (MECM/WSUS) catalog, the category Microsoft Defender for Endpoint includes updates for the
MSSenseservice in KB5005292. KB5005292 includes updates and fixes to the Microsoft Defender for Endpoint endpoint detection and response (EDR) sensor. For more information, see Microsoft Defender for Endpoint update for EDR Sensor and What's new in Microsoft Defender for Endpoint on Windows.
Updates contain:
- Performance improvements
- Serviceability improvements
- Integration improvements (Cloud, Microsoft Defender XDR)
- Security intelligence update version: 1.427.3.0
- Release date: April 1, 2025 (Engine) / April 9, 2025 (Platform)
- Platform: 4.18.25030.2
- Engine: 1.1.25030.1
- Support phase: Security and Critical Updates
- Improved caching of device control settings to improve reliability in occasionally connected environments.
- Performance improvement in on-access scans of files in network locations.
- Fixed the Defender service description to match the latest installed version.
- Improved Defender engine update logic when the update is included in a custom image.
- Fix in health reporting where signature update data might have been incorrect.
- Fixed reporting issue with controlled folder access (CFA) protected folders using the PowerShell cmdlet Get-MpPreference when CFA is disabled.
- Improved performance when scanning UPX-packed files (Ultimate Packer for eXecutables) and updated the validation process to verify the integrity of the packed file itself.
- Added support for distinguishing regular cloud allow signatures from clean Indicators of Compromise (IoC) in attack surface reduction (ASR).
- Security intelligence update version: 1.425.1.0
- Release date: March 12, 2025 (Engine) / March 31, 2025 (Platform)
- Platform: 4.18.25020.1009
- Engine: 1.1.25020.1007
- Support phase: Security and Critical Updates
- Fixed deadlock issue on VDI that occurred when loading corrupted update files from UNC share.
- Systems controlled by
SharedSignatureRootcan be updated by running signature update commands. - If you're currently using a shared signature path to update VDI environments, you can now use signature update commands through MpCmdRun, PowerShell, and the user interface to update to latest drops in your signature update shares.
- Shared root signature setting updates are now applied without requiring a system restart. (If this setting is turned off and on multiple times, a system reboot is necessary.)
- Improved logic for handling restore from quarantine.
- Fixed fallback issue with Update-MpSignature.
- Increased device control policy limits.
- Improved security resilience for Defender update process.
- Security intelligence update version: 1.423.21.0
- Release date: February 20, 2025 (Engine) / March 5, 2025 (Platform)
- Platform: 4.18.25010.11
- Engine: 1.1.25010.7
- Support phase: Security and Critical Updates
- Improved handling of attack surface reduction rule exclusions.
- Improved AMSI scan performance with changes to exclusion handling.
- Fixed Controlled Folder Access (CFA) protection for OneDrive when backup is enabled.
- Fixed performance issues with full scans when initiated from the Microsoft Defender portal.
- Fixed attack surface reduction warn mode processing for containerized objects (such as Office files) when the unblock option is selected.
- Fixed attack surface reduction warn mode processing when exclusions are applied.
- Fixed performance handling with file transfers having Mark of the Web (MoTW) set.
- Implemented
AzureAdcache to handle offline environments with device control. - Resolved an issue with
TrustLabelProtectionStatusbeing reset after a Microsoft Defender platform update. - Resolved an issue with tamper protection for exclusions where an exclusion policy was handled by System Center Configuration Manager.
- Fixed issue with device control auditing of removable media.
- Fixed issue with MDM policy management on Azure Virtual Desktop.
- Added support for wildcards in tamper protection trusted process.
- Improved device control policy enforcement in offline environments.
- Fixed issue in the
WDNisDrv.sysdriver that caused system hangs during shutdown.
After a new package version is released, support for the previous two versions is reduced to technical support only. For more information about previous versions, see Microsoft Defender Antivirus updates: Previous versions for technical upgrade support.
Platform and engine updates are provided on a monthly cadence. To be fully supported, keep current with the latest platform and engine updates. Our support structure is dynamic, evolving into two phases depending on the availability of the latest platform and engine version:
Security and Critical Updates servicing phase - When running the latest platform and engine version, you're eligible to receive both Security and Critical updates to the anti-malware platform.
Technical Support (Only) phase - After a new platform and engine version is released, support for older versions (N-2) reduce to technical support only. Platform and engine versions older than N-2 are no longer supported. Technical support continues to be provided for upgrades from the Windows 10 release version (see Platform version included with Windows 10 releases) to the latest platform version.
During the technical support (only) phase, commercially reasonable support incidents are provided through Microsoft Customer Service & Support and Microsoft's managed support offerings (such as Premier Support). If a support incident requires escalation to development for further guidance, requires a nonsecurity update, or requires a security update, customers are asked to upgrade to the latest platform version or an intermediate update (*).
Note
If you're manually deploying Microsoft Defender Antivirus Platform Update, or if you're using a script or a non-Microsoft management product to deploy Microsoft Defender Antivirus Platform Update, make sure that version 4.18.2001.10 is installed from the Microsoft Update Catalog before the latest version of Platform Update (N-2) is installed.
To install the latest security intelligence and antivirus engine updates, you can use any of the following methods:
Windows Update
Windows Update server (WSUS)
Software Update Point (SUP)
Windows Security app: See Microsoft Defender Antivirus in the Windows Security app
Command line, as follows:
"%programdata%\Microsoft\Windows Defender\Platform\<version>\MpCmdRun.exe" -SignatureUpdate"%programdata%\Microsoft\Windows Defender\Platform\<version>\MpCmdRun.exe" -SignatureUpdate \\FileServer\ShareName"%programdata%\Microsoft\Windows Defender\Platform\<version>\MpCmdRun.exe" -SignatureUpdate -MMPC
For more information, see Manage the sources for Microsoft Defender Antivirus protection updates.
To get the latest platform updates, you can use any of the following methods:
Windows Update
Windows Update server (WSUS)
Software Update Point (SUP)
Windows Security app: See Microsoft Defender Antivirus in the Windows Security app
In the unfortunate event that you encounter issues after an update, you can roll back to the previous or the inbox version.
| Scenario | Command |
|---|---|
| Roll security intelligence updates back to the previous or to the original inbox version of the security intelligence version | "%programdata%\Microsoft\Windows Defender\Platform\<version>\MpCmdRun.exe"-RemoveDefinitions |
| Roll the engine version back to the previous version | "%programdata%\Microsoft\Windows Defender\Platform\<version>\MpCmdRun.exe"-RemoveDefinitions -Engine |
| Roll a platform update back to the previous version | "%programdata%\Microsoft\Windows Defender\Platform\<version>\MpCmdRun.exe" -RevertPlatform |
Roll updates back to the version shipped with the operating system (%ProgramFiles%\Windows Defender) |
"%programdata%\Microsoft\Windows Defender\Platform\<version>\MpCmdRun.exe" -ResetPlatform |
The table provides the Microsoft Defender Antivirus platform and engine versions that are shipped with the latest Windows 10 releases:
| Windows 10 release | Platform version | Engine version | Support phase |
|---|---|---|---|
| 2004 (20H1/20H2) | 4.18.1909.6 |
1.1.17000.2 |
Technical upgrade support (only) |
| 1909 (19H2) | 4.18.1902.5 |
1.1.16700.3 |
Technical upgrade support (only) |
| 1903 (19H1) | 4.18.1902.5 |
1.1.15600.4 |
Technical upgrade support (only) |
| 1809 (RS5) | 4.18.1807.5 |
1.1.15000.2 |
Technical upgrade support (only) |
| 1803 (RS4) | 4.13.17134.1 |
1.1.14600.4 |
Technical upgrade support (only) |
| 1709 (RS3) | 4.12.16299.15 |
1.1.14104.0 |
Technical upgrade support (only) |
| 1703 (RS2) | 4.11.15603.2 |
1.1.13504.0 |
Technical upgrade support (only) |
| 1607 (RS1) | 4.10.14393.3683 |
1.1.12805.0 |
Technical upgrade support (only) |
For Windows 10 release information, see the Windows lifecycle fact sheet.
Note
Windows Server 2016 ships with the same Platform version as RS1 and falls under the same support phase: Technical upgrade support (only)
Windows Server 2019 ships with the same Platform version as RS5 and falls under the same support phase: Technical upgrade support (only)
To avoid a gap in protection, keep your OS installation images up to date with the latest antivirus and anti-malware updates. Updates are available for:
- Windows 10 and 11 (Enterprise, Pro, and Home editions)
- Windows Server 2025, Windows Server 2022, Windows Server 2019, Windows Server 2016, and Windows Server 2012 R2
- WIM and VHD(x) files
Updates are released for x86, x64, and Arm64 Windows architecture.
For more information, see Microsoft Defender update for Windows operating system installation images.
After a new package version is released, support for the previous two versions is reduced to technical support only. To view a list of previous versions, see Previous DISM updates.
- Defender package version:
1.417.472.0 - Security intelligence version:
1.417.472.0 - Engine version:
1.24080.9
- None
- None
- Defender package version:
1.415.295.0 - Security intelligence version:
1.415.295.0 - Engine version:
1.24070.1 - Platform version:
4.18.24070.5
- None
- None
- Defender package version:
1.415.235.0 - Security intelligence version:
1.415.235.0 - Engine version:
1.24070.1 - Platform version:
4.18.24070.5
- None
- None
| Article | Description |
|---|---|
| Microsoft Defender update for Windows operating system installation images | Review anti-malware update packages for your OS installation images (WIM and VHD files). Get Microsoft Defender Antivirus updates for Windows 10 (Enterprise, Pro, and Home editions), Windows Server 2019, Windows Server 2022, Windows Server 2016, and Windows Server 2012 R2 installation images. |
| Manage how protection updates are downloaded and applied | Protection updates can be delivered through many sources. |
| Manage when protection updates should be downloaded and applied | You can schedule when protection updates should be downloaded. |
| Manage updates for endpoints that are out of date | If an endpoint misses an update or scheduled scan, you can force an update or scan the next time a user signs in. |
| Manage event-based forced updates | You can set protection updates to be downloaded at startup or after certain cloud-delivered protection events. |
| Manage updates for mobile devices and virtual machines (VMs) | You can specify settings, such as whether updates should occur on battery power that 's especially useful for mobile devices and virtual machines. |
| Microsoft Defender for Endpoint update for EDR Sensor | You can update the EDR sensor (MsSense.exe) that's included in the new Microsoft Defender for Endpoint unified solution package released in 2021. |
Tip
If you're looking for Antivirus related information for other platforms, see:
- Set preferences for Microsoft Defender for Endpoint on macOS
- Microsoft Defender for Endpoint on Mac
- macOS Antivirus policy settings for Microsoft Defender Antivirus for Intune
- Set preferences for Microsoft Defender for Endpoint on Linux
- Microsoft Defender for Endpoint on Linux
- Configure Defender for Endpoint on Android features
- Configure Microsoft Defender for Endpoint on iOS features
Tip
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.