Applies to:

• Microsoft Defender for Endpoint Plans 1 and 2
• Microsoft Defender Antivirus

Platforms

• Windows

Keeping Microsoft Defender Antivirus up to date is critical to assure your devices have the latest technology and features needed to protect against new malware and attack techniques. Update your antivirus protection, even if Microsoft Defender Antivirus is running in passive mode. This article includes information about the two types of updates for keeping Microsoft Defender Antivirus current:

• Security intelligence updates
• Product updates

This article also includes:

• Microsoft Defender Antivirus platform support
• How to roll back an update (if necessary)
• Platform version included with Windows 10 releases
• Updates for Deployment Image Servicing and Management (DISM)

To see the most current engine, platform, and signature date, see Security intelligence updates for Microsoft Defender Antivirus and other Microsoft antimalware.

Microsoft Defender Antivirus uses cloud-delivered protection (also called the Microsoft Advanced Protection Service, or MAPS) and periodically downloads dynamic security intelligence updates to provide more protection. These dynamic updates don't take the place of regular security intelligence updates via security intelligence update KB2267602.

Cloud-delivered protection is always on and requires an active connection to the Internet to function. Security intelligence updates occur on a scheduled cadence (configurable via policy). For more information, see Use Microsoft cloud-provided protection in Microsoft Defender Antivirus.

For a list of recent security intelligence updates, see Security intelligence updates for Microsoft Defender Antivirus and other Microsoft antimalware.

Engine updates are included with security intelligence updates and are released on a monthly cadence.

Microsoft Defender Antivirus requires monthly updates (KB4052623) known as platform updates.

You can manage the distribution of updates through one of the following methods:

• Windows Server Update Service (WSUS)
• Microsoft Configuration Manager
• The usual methods you use to deploy Microsoft and Windows updates to endpoints in your network.

For more information, see Manage the sources for Microsoft Defender Antivirus protection updates.

• Monthly updates are released in phases, resulting in multiple packages visible in your Window Server Update Services.

• This article lists changes that are included in the broad release channel. See the latest broad channel release here.

• To learn more about the gradual rollout process, and to see more information about the next release, see Manage the gradual rollout process for Microsoft Defender updates.

• To learn more about security intelligence updates, see Security intelligence updates for Microsoft Defender Antivirus and other Microsoft antimalware.

• If you're looking for a list of Microsoft Defender processes, see the spreadsheet provided at Enable access to Microsoft Defender for Endpoint service URLs in the proxy server. The sheet also lists the services and their associated URLs that your network must be able to connect to.

• Platform updates can be temporarily postponed if other protection features, such as Endpoint DLP or Device Control are actively monitoring running processes. Platform updates are retried after a reboot or when all monitored services are stopped.

• In the Microsoft Endpoint Configuration Manager / Windows Server Update Services (MECM/WSUS) catalog, the category Microsoft Defender for Endpoint includes updates for the MSSense service in KB5005292. KB5005292 includes updates and fixes to the Microsoft Defender for Endpoint endpoint detection and response (EDR) sensor. For more information, see Microsoft Defender for Endpoint update for EDR Sensor and What's new in Microsoft Defender for Endpoint on Windows.

All our updates contain:

• Performance improvements
• Serviceability improvements
• Integration improvements (Cloud, Microsoft Defender XDR)

• Security intelligence update version: 1.415.1.0
• Release date: July 9, 2024 (Engine) / July 15, 2024 (Platform)
• Platform: 4.18.24060.7
• Engine: 1.1.24060.5
• Support phase: Security and Critical Updates

• Fixed issue where Microsoft Defender Antivirus was not properly changing state when non-Microsoft antivirus/antimalware software was installed and Windows Defender Application Control (WDAC) with Intelligent Security Graph were enabled.
• Fixed deadlock issue on VDI that occurred when loading corrupted update files from UNC share.
• Custom scans started with Start-MpScan are now reported in the event log.
• Fixed potential deadlock that occurred on volume mount scanning.
• Fixed issue where Microsoft Defender Antivirus did not allow applications to clean up temporary files.
• Fixed potentially packet loss due to network protection shutdown that could lead to deadlock.
• Implemented performance improvements for scenarios where WDAC is enabled with Intelligent Security Graph.
• Fixed an issue where an Outlook exclusion for the ASR rule Block Office applications from injecting code into other processes was not honored.
• Fixed a race condition during the startup of endpoint data loss prevention such that, in certain environments, some system files could be corrupted.

• Security intelligence update version: 1.413.1.0
• Release date: May 30, 2024 (Engine) / June 4, 2024 (Platform)
• Engine: 1.1.24050.5
• Platform: 4.18.24050.7
• Support phase: Security and Critical Updates

What's new

• Improved performance when running configuration queries.
• Optimized how scans are prioritized.
• Fixed a crash caused by a race condition with a device control driver.
• Added Event Viewer Logging for scan start event where the scan originates from PowerShell.

• Security intelligence update version: 1.411.7.0
• Release date: May 07, 2024 (Engine) / May 16, 2024 (Platform)
• Engine: 1.1.24040.1
• Platform: 4.18.24040.4
• Support phase: Security and Critical Updates

What's new

• Added an opt-out feature for Experimental Configuration Services (ECS) and One collector in the Core Service.
• Fixed an issue where occasionally exclusions deployed via Intune were not being honored when tamper protection was enabled.
• After a new engine version is released, support for older versions (N-2) will now reduce to technical support only. Engine versions older than N-2 are no longer supported.
• Improved health monitoring and telemetry for attack surface rules exclusions.
• Updated inaccurate information in Configure exclusions for files opened by processes regarding wildcard usage with contextual exclusions.

After a new package version is released, support for the previous two versions is reduced to technical support only. For more information about previous versions, see Microsoft Defender Antivirus updates: Previous versions for technical upgrade support.

Platform and engine updates are provided on a monthly cadence. To be fully supported, keep current with the latest platform and engine updates. Our support structure is dynamic, evolving into two phases depending on the availability of the latest platform and engine version:

• Security and Critical Updates servicing phase - When running the latest platform and engine version, you're eligible to receive both Security and Critical updates to the anti-malware platform.

• Technical Support (Only) phase - After a new platform and engine version is released, support for older versions (N-2) reduce to technical support only. Platform and engine versions older than N-2 are no longer supported. Technical support continues to be provided for upgrades from the Windows 10 release version (see Platform version included with Windows 10 releases) to the latest platform version.

During the technical support (only) phase, commercially reasonable support incidents are provided through Microsoft Customer Service & Support and Microsoft's managed support offerings (such as Premier Support). If a support incident requires escalation to development for further guidance, requires a nonsecurity update, or requires a security update, customers are asked to upgrade to the latest platform version or an intermediate update (*).

In the unfortunate event that you encounter issues after a platform update, you can roll back to the previous or the inbox version of the Microsoft Defender platform.

• To roll back to the previous version, run the following command:

• To roll back this update to the version shipped with the Operating System ("%ProgramFiles%Windows Defender")

The below table provides the Microsoft Defender Antivirus platform and engine versions that are shipped with the latest Windows 10 releases:

For Windows 10 release information, see the Windows lifecycle fact sheet.

To avoid a gap in protection, keep your OS installation images up to date with the latest antivirus and antimalware updates. Updates are available for:

• Windows 10 and 11 (Enterprise, Pro, and Home editions)
• Windows Server 2022, Windows Server 2019, Windows Server 2016, and Windows Server 2012 R2
• WIM and VHD(x) files

Updates are released for x86, x64, and ARM64 Windows architecture.

For more information, see Microsoft Defender update for Windows operating system installation images.

After a new package version is released, support for the previous two versions is reduced to technical support only.

• Defender package version:
• Security intelligence version:
• Engine version:
• Platform version:

Fixes

• None

Additional information

• None

• Defender package version:
• Security intelligence version:
• Engine version:
• Platform version:

Fixes

• None

Additional information

• None

• Defender package version:
• Security intelligence version:
• Engine version:
• Platform version:

Fixes

• None

Additional information

• None