Microsoft Windows Defender

Return to site

Microsoft Windows Defender

 -->Microsoft Windows Defender Update
Microsoft Windows Defender Scam Email
Reinstall Windows Defender Windows 10
Aug 19, 2020. Aug 20, 2019.
Important
Welcome to Microsoft Defender for Endpoint, the new name for Microsoft Defender Advanced Threat Protection. Read more about this and other updates here. We'll be updating names in products and in the docs in the near future.
Applies to:
There are two types of updates related to keeping Microsoft Defender Antivirus up to date:
Security intelligence updates
Product updates
Important
Keeping Microsoft Defender Antivirus up to date is critical to assure your devices have the latest technology and features needed to protect against new malware and attack techniques.
This also applies to devices where Microsoft Defender Antivirus is running in passive mode.
You can use the below URL to find out what are the current versions:https://www.microsoft.com/security/encyclopedia/adlpackages.aspx?action=info
Security intelligence updatesMicrosoft Defender Antivirus uses cloud-delivered protection (also called the Microsoft Advanced Protection Service or MAPS) and periodically downloads security intelligence updates to provide protection.
Note
Updates are released under the below KB numbers:
Microsoft Defender Antivirus: KB2267602
System Center Endpoint Protection: KB2461484
Cloud-delivered protection is always on and requires an active connection to the Internet to function. Security intelligence updates occur on a scheduled cadence (configurable via policy). For more information, see Use Microsoft cloud-provided protection in Microsoft Defender Antivirus.
Engine updates are included with security intelligence updates and are released on a monthly cadence.
Product updatesMicrosoft Defender Antivirus requires monthly updates (KB4052623) (known as platform updates), and will receive major feature updates alongside Windows 10 releases.
You can manage the distribution of updates through one of the following methods: Best mac for developers 2016.
The usual method you use to deploy Microsoft and Windows updates to endpoints in your network.
For more information, see Manage the sources for Microsoft Defender Antivirus protection updates.
Note
We release these monthly updates in phases. This results in multiple packages visible in your WSUS server.
Monthly platform and engine versionsFor information how to update or how to install the platform update, see Update for Windows Defender antimalware platform.
All our updates contain:
performance improvements
serviceability improvements
integration improvements (Cloud, Microsoft 365 Defender)
 September-2020 (Platform: 4.18.2009.7 | Engine: 1.1.17500.4) Security intelligence update version: 1.325.10.0
 Released: October 01, 2020
 Platform: 4.18.2009.7
 Engine: 1.1.17500.4
 Support phase: Security and Critical Updates
What's newAdmin permissions are required to restore files in quarantine
XML formatted events are now supported
CSP support for ignoring exclusion merge
New management interfaces for:UDP Inspection
Network Protection on Server 2019
IP Address exclusions for Network Protection
Improved visibility into TPM measurements
Improved Office VBA module scanning
Known IssuesNo known issues
 August-2020 (Platform: 4.18.2008.9 | Engine: 1.1.17400.5)

 Security intelligence update version: 1.323.9.0
 Released: August 27, 2020
 Platform: 4.18.2008.9
 Engine: 1.1.17400.5
 Support phase: Security and Critical Updates
What's newAdd more telemetry events
Improved scan event telemetry
Improved behavior monitoring for memory scans
Improved macro streams scanning
Added AMRunningMode to Get-MpComputerStatus PowerShell cmdlet
DisableAntiSpyware is ignored. Microsoft Defender Antivirus automatically turns itself off when it detects another antivirus program.
Known IssuesNo known issues
 July-2020 (Platform: 4.18.2007.8 | Engine: 1.1.17300.4) Security intelligence update version: 1.321.30.0
 Released: July 28, 2020
 Platform: 4.18.2007.8
 Engine: 1.1.17300.4
 Support phase: Security and Critical Updates
What's newImproved telemetry for BITS
Improved Authenticode code signing certificate validation
Known IssuesNo known issues
 June-2020 (Platform: 4.18.2006.10 | Engine: 1.1.17200.2) Security intelligence update version: 1.319.20.0
 Released: June 22, 2020
 Platform: 4.18.2006.10
 Engine: 1.1.17200.2
 Support phase: Technical upgrade Support (Only)
What's newPossibility to specify the location of the support logs
Skipping aggressive catchup scan in Passive mode.
Allow Defender to update on metered connections
Fixed performance tuning when caching is disabled
Fixed registry query
Fixed scantime randomization in ADMX
Known IssuesNo known issues
 May-2020 (Platform: 4.18.2005.4 | Engine: 1.1.17100.2)Microsoft Windows Defender Update Security intelligence update version: 1.317.20.0
 Released: May 26, 2020
 Platform: 4.18.2005.4
 Engine: 1.1.17100.2
 Support phase: Technical upgrade Support (Only)
What's newImproved logging for scan events
Improved user mode crash handling.
Added event tracing for Tamper protection
Fixed AMSI Sample submission
Fixed AMSI Cloud blocking
Fixed Security update install log
Known IssuesNo known issues
 April-2020 (Platform: 4.18.2004.6 | Engine: 1.1.17000.2)

 Security intelligence update version: 1.315.12.0
 Released: April 30, 2020
 Platform: 4.18.2004.6
 Engine: 1.1.17000.2
 Support phase: Technical upgrade Support (Only)
What's newWDfilter improvements
Add more actionable event data to attack surface reduction detection events
Fixed version information in diagnostic data and WMI
Fixed incorrect platform version in UI after platform update
Dynamic URL intel for Fileless threat protection
UEFI scan capability
Extend logging for updates
Known IssuesNo known issues
 March-2020 (Platform: 4.18.2003.8 | Engine: 1.1.16900.2) Security intelligence update version: 1.313.8.0
 Released: March 24, 2020
 Platform: 4.18.2003.8
 Engine: 1.1.16900.4
 Support phase: Technical upgrade Support (Only)
What's newCPU Throttling option added to MpCmdRun
Improve diagnostic capability
reduce Security intelligence timeout (5 min)
Extend AMSI engine internal log capability
Improve notification for process blocking
Known Issues[Fixed] Microsoft Defender Antivirus is skipping files when running a scan.

 February-2020 (Platform: - | Engine: 1.1.16800.2)Security intelligence update version: 1.311.4.0
Released: February 25, 2020
Platform/Client: -
Engine: 1.1.16800.2
Support phase: N/A
What's newKnown IssuesNo known issues
 January-2020 (Platform: 4.18.2001.10 | Engine: 1.1.16700.2)Security intelligence update version: 1.309.32.0
Released: January 30, 2020
Platform/Client: 4.18.2001.10
Engine: 1.1.16700.2
Support phase: Technical upgrade Support (Only)
What's newFixed BSOD on WS2016 with Exchange
Support platform updates when TMP is redirected to network path
Platform and engine versions are added to WDSI
extend Emergency signature update to passive mode
Fix 4.18.1911.3 hang
Known Issues[Fixed] devices utilizing modern standby mode may experience a hang with the Windows Defender filter driver that results in a gap of protection. Affected machines appear to the customer as having not updated to the latest antimalware platform.
Important
This updates is needed by RS1 devices running lower version of the platform to support SHA2. 
This update has reboot flag for systems that are experiencing the hang issue.
 the This update is re-released in April 2020 and will not be superseded by newer updates to keep future availability.
Important
This update is categorized as an 'update' due to its reboot requirement and will only be offered with a Windows Update
 November-2019 (Platform: 4.18.1911.3 | Engine: 1.1.16600.7)Security intelligence update version: 1.307.13.0
Released: December 7, 2019
Platform: 4.18.1911.3
Engine: 1.1.17000.7
Support phase: No support
What's newFixed MpCmdRun tracing level
Fixed WDFilter version info
Improve notifications (PUA)
add MRT logs to support files
Known IssuesWhen this update is installed, the device needs the jump package 4.10.2001.10 to be able to update to the latest platform version.
Microsoft Defender Antivirus platform supportPlatform and engine updates are provided on a monthly cadence. To be fully supported, keep current with the latest platform updates. Our support structure is dynamic, evolving into two phases depending on the availability of the latest platform version:
Security and Critical Updates servicing phase - When running the latest platform version, you will be eligible to receive both Security and Critical updates to the anti-malware platform.
Technical Support (Only) phase - After a new platform version is released, support for older versions (N-2) will reduce to technical support only. Platform versions older than N-2 will no longer be supported.*
* Technical support will continue to be provided for upgrades from the Windows 10 release version (see Platform version included with Windows 10 releases) to the latest platform version.
Microsoft Windows Defender Scam EmailDuring the technical support (only) phase, commercially reasonable support incidents will be provided through Microsoft Customer Service & Support and Microsoft's managed support offerings (such as Premier Support). If a support incident requires escalation to development for further guidance, requires a non-security update, or requires a security update, customers will be asked to upgrade to the latest platform version or an intermediate update (*).
Platform version included with Windows 10 releasesThe below table provides the Microsoft Defender Antivirus platform and engine versions that are shipped with the latest Windows 10 releases:
Windows 10 releasePlatform versionEngine versionSupport phase
2004 (20H1)4.18.2004.61.1.17000.2Technical upgrade Support (Only)
1909 (19H2)4.18.1902.51.1.16700.3Technical upgrade Support (Only)
1903 (19H1)4.18.1902.51.1.15600.4Technical upgrade Support (Only)
1809 (RS5)4.18.1807.180751.1.15000.2Technical upgrade Support (Only)
1803 (RS4)4.13.17134.11.1.14600.4Technical upgrade Support (Only)
1709 (RS3)4.12.16299.151.1.14104.0Technical upgrade Support (Only)
1703 (RS2)4.11.15603.21.1.13504.0Technical upgrade Support (Only)
1607 (RS1)4.10.14393.36831.1.12805.0Technical upgrade Support (Only)
Windows 10 release info: Windows lifecycle fact sheet.
See alsoArticleDescription
Manage how protection updates are downloaded and appliedProtection updates can be delivered through a number of sources.
Manage when protection updates should be downloaded and appliedYou can schedule when protection updates should be downloaded.
Manage updates for endpoints that are out of dateIf an endpoint misses an update or scheduled scan, you can force an update or scan at the next logon.
Manage event-based forced updatesYou can set protection updates to be downloaded at startup or after certain cloud-delivered protection events.
Manage updates for mobile devices and virtual machines (VMs)You can specify settings, such as whether updates should occur on battery power, that are especially useful for mobile devices and virtual machines.
-->Applies to:

Windows 10 release	Platform version	Engine version	Support phase
2004 (20H1)	4.18.2004.6	1.1.17000.2	Technical upgrade Support (Only)
1909 (19H2)	4.18.1902.5	1.1.16700.3	Technical upgrade Support (Only)
1903 (19H1)	4.18.1902.5	1.1.15600.4	Technical upgrade Support (Only)
1809 (RS5)	4.18.1807.18075	1.1.15000.2	Technical upgrade Support (Only)
1803 (RS4)	4.13.17134.1	1.1.14600.4	Technical upgrade Support (Only)
1709 (RS3)	4.12.16299.15	1.1.14104.0	Technical upgrade Support (Only)
1703 (RS2)	4.11.15603.2	1.1.13504.0	Technical upgrade Support (Only)
1607 (RS1)	4.10.14393.3683	1.1.12805.0	Technical upgrade Support (Only)

Article	Description
Manage how protection updates are downloaded and applied	Protection updates can be delivered through a number of sources.
Manage when protection updates should be downloaded and applied	You can schedule when protection updates should be downloaded.
Manage updates for endpoints that are out of date	If an endpoint misses an update or scheduled scan, you can force an update or scan at the next logon.
Manage event-based forced updates	You can set protection updates to be downloaded at startup or after certain cloud-delivered protection events.
Manage updates for mobile devices and virtual machines (VMs)	You can specify settings, such as whether updates should occur on battery power, that are especially useful for mobile devices and virtual machines.

 Security intelligence update version: 1.323.9.0
 Released: August 27, 2020
 Platform: 4.18.2008.9
 Engine: 1.1.17400.5
 Support phase: Security and Critical Updates
What's newAdd more telemetry events
Improved scan event telemetry
Improved behavior monitoring for memory scans
Improved macro streams scanning
Added AMRunningMode to Get-MpComputerStatus PowerShell cmdlet
DisableAntiSpyware is ignored. Microsoft Defender Antivirus automatically turns itself off when it detects another antivirus program.
Known IssuesNo known issues
 July-2020 (Platform: 4.18.2007.8 | Engine: 1.1.17300.4) Security intelligence update version: 1.321.30.0
 Released: July 28, 2020
 Platform: 4.18.2007.8
 Engine: 1.1.17300.4
 Support phase: Security and Critical Updates
What's newImproved telemetry for BITS
Improved Authenticode code signing certificate validation
Known IssuesNo known issues
 June-2020 (Platform: 4.18.2006.10 | Engine: 1.1.17200.2) Security intelligence update version: 1.319.20.0
 Released: June 22, 2020
 Platform: 4.18.2006.10
 Engine: 1.1.17200.2
 Support phase: Technical upgrade Support (Only)
What's newPossibility to specify the location of the support logs
Skipping aggressive catchup scan in Passive mode.
Allow Defender to update on metered connections
Fixed performance tuning when caching is disabled
Fixed registry query
Fixed scantime randomization in ADMX
Known IssuesNo known issues
 May-2020 (Platform: 4.18.2005.4 | Engine: 1.1.17100.2)Microsoft Windows Defender Update Security intelligence update version: 1.317.20.0
 Released: May 26, 2020
 Platform: 4.18.2005.4
 Engine: 1.1.17100.2
 Support phase: Technical upgrade Support (Only)
What's newImproved logging for scan events
Improved user mode crash handling.
Added event tracing for Tamper protection
Fixed AMSI Sample submission
Fixed AMSI Cloud blocking
Fixed Security update install log
Known IssuesNo known issues
 April-2020 (Platform: 4.18.2004.6 | Engine: 1.1.17000.2) Security intelligence update version: 1.315.12.0
 Released: April 30, 2020
 Platform: 4.18.2004.6
 Engine: 1.1.17000.2
 Support phase: Technical upgrade Support (Only)
What's newWDfilter improvements
Add more actionable event data to attack surface reduction detection events
Fixed version information in diagnostic data and WMI
Fixed incorrect platform version in UI after platform update
Dynamic URL intel for Fileless threat protection
UEFI scan capability
Extend logging for updates
Known IssuesNo known issues
 March-2020 (Platform: 4.18.2003.8 | Engine: 1.1.16900.2) Security intelligence update version: 1.313.8.0
 Released: March 24, 2020
 Platform: 4.18.2003.8
 Engine: 1.1.16900.4
 Support phase: Technical upgrade Support (Only)
What's newCPU Throttling option added to MpCmdRun
Improve diagnostic capability
reduce Security intelligence timeout (5 min)
Extend AMSI engine internal log capability
Improve notification for process blocking
Known Issues[Fixed] Microsoft Defender Antivirus is skipping files when running a scan.

 February-2020 (Platform: - | Engine: 1.1.16800.2)Security intelligence update version: 1.311.4.0
Released: February 25, 2020
Platform/Client: -
Engine: 1.1.16800.2
Support phase: N/A
What's newKnown IssuesNo known issues
 January-2020 (Platform: 4.18.2001.10 | Engine: 1.1.16700.2)Security intelligence update version: 1.309.32.0
Released: January 30, 2020
Platform/Client: 4.18.2001.10
Engine: 1.1.16700.2
Support phase: Technical upgrade Support (Only)
What's newFixed BSOD on WS2016 with Exchange
Support platform updates when TMP is redirected to network path
Platform and engine versions are added to WDSI
extend Emergency signature update to passive mode
Fix 4.18.1911.3 hang
Known Issues[Fixed] devices utilizing modern standby mode may experience a hang with the Windows Defender filter driver that results in a gap of protection. Affected machines appear to the customer as having not updated to the latest antimalware platform.
Important
This updates is needed by RS1 devices running lower version of the platform to support SHA2. 
This update has reboot flag for systems that are experiencing the hang issue.
 the This update is re-released in April 2020 and will not be superseded by newer updates to keep future availability.
Important
This update is categorized as an 'update' due to its reboot requirement and will only be offered with a Windows Update
 November-2019 (Platform: 4.18.1911.3 | Engine: 1.1.16600.7)Security intelligence update version: 1.307.13.0
Released: December 7, 2019
Platform: 4.18.1911.3
Engine: 1.1.17000.7
Support phase: No support
What's newFixed MpCmdRun tracing level
Fixed WDFilter version info
Improve notifications (PUA)
add MRT logs to support files
Known IssuesWhen this update is installed, the device needs the jump package 4.10.2001.10 to be able to update to the latest platform version.
Microsoft Defender Antivirus platform supportPlatform and engine updates are provided on a monthly cadence. To be fully supported, keep current with the latest platform updates. Our support structure is dynamic, evolving into two phases depending on the availability of the latest platform version:
Security and Critical Updates servicing phase - When running the latest platform version, you will be eligible to receive both Security and Critical updates to the anti-malware platform.
Technical Support (Only) phase - After a new platform version is released, support for older versions (N-2) will reduce to technical support only. Platform versions older than N-2 will no longer be supported.*
* Technical support will continue to be provided for upgrades from the Windows 10 release version (see Platform version included with Windows 10 releases) to the latest platform version.
Microsoft Windows Defender Scam EmailDuring the technical support (only) phase, commercially reasonable support incidents will be provided through Microsoft Customer Service & Support and Microsoft's managed support offerings (such as Premier Support). If a support incident requires escalation to development for further guidance, requires a non-security update, or requires a security update, customers will be asked to upgrade to the latest platform version or an intermediate update (*).
Platform version included with Windows 10 releasesThe below table provides the Microsoft Defender Antivirus platform and engine versions that are shipped with the latest Windows 10 releases:
Windows 10 releasePlatform versionEngine versionSupport phase
2004 (20H1)4.18.2004.61.1.17000.2Technical upgrade Support (Only)
1909 (19H2)4.18.1902.51.1.16700.3Technical upgrade Support (Only)
1903 (19H1)4.18.1902.51.1.15600.4Technical upgrade Support (Only)
1809 (RS5)4.18.1807.180751.1.15000.2Technical upgrade Support (Only)
1803 (RS4)4.13.17134.11.1.14600.4Technical upgrade Support (Only)
1709 (RS3)4.12.16299.151.1.14104.0Technical upgrade Support (Only)
1703 (RS2)4.11.15603.21.1.13504.0Technical upgrade Support (Only)
1607 (RS1)4.10.14393.36831.1.12805.0Technical upgrade Support (Only)
Windows 10 release info: Windows lifecycle fact sheet.
See alsoArticleDescription
Manage how protection updates are downloaded and appliedProtection updates can be delivered through a number of sources.
Manage when protection updates should be downloaded and appliedYou can schedule when protection updates should be downloaded.
Manage updates for endpoints that are out of dateIf an endpoint misses an update or scheduled scan, you can force an update or scan at the next logon.
Manage event-based forced updatesYou can set protection updates to be downloaded at startup or after certain cloud-delivered protection events.
Manage updates for mobile devices and virtual machines (VMs)You can specify settings, such as whether updates should occur on battery power, that are especially useful for mobile devices and virtual machines.
-->Applies to:
Windows 10
Windows 10 Mobile
Microsoft Edge
Microsoft Defender SmartScreen protects against phishing or malware websites and applications, and the downloading of potentially malicious files.
Microsoft Defender SmartScreen determines whether a site is potentially malicious by:
Analyzing visited webpages looking for indications of suspicious behavior. If Microsoft Defender SmartScreen determines that a page is suspicious, it will show a warning page to advise caution.
Checking the visited sites against a dynamic list of reported phishing sites and malicious software sites. If it finds a match, Microsoft Defender SmartScreen shows a warning to let the user know that the site might be malicious.
Microsoft Defender SmartScreen determines whether a downloaded app or app installer is potentially malicious by:
Checking downloaded files against a list of reported malicious software sites and programs known to be unsafe. If it finds a match, Microsoft Defender SmartScreen shows a warning to let the user know that the site might be malicious.
Checking downloaded files against a list of files that are well known and downloaded by many Windows users. If the file isn't on that list, Microsoft Defender SmartScreen shows a warning, advising caution.
Benefits of Microsoft Defender SmartScreenMicrosoft Defender SmartScreen provide an early warning system against websites that might engage in phishing attacks or attempt to distribute malware through a socially-engineered attack. The primary benefits are:
Anti-phishing and anti-malware support. Microsoft Defender SmartScreen helps to protect users from sites that are reported to host phishing attacks or attempt to distribute malicious software. It can also help protect against deceptive advertisements, scam sites, and drive-by attacks. Drive-by attacks are web-based attacks that tend to start on a trusted site, targeting security vulnerabilities in commonly used software. Because drive-by attacks can happen even if the user does not click or download anything on the page, the danger often goes unnoticed. For more info about drive-by attacks, see Evolving Microsoft Defender SmartScreen to protect you from drive-by attacks
Reputation-based URL and app protection. Microsoft Defender SmartScreen evaluates a website's URLs to determine if they're known to distribute or host unsafe content. It also provides reputation checks for apps, checking downloaded programs and the digital signature used to sign a file. If a URL, a file, an app, or a certificate has an established reputation, users won't see any warnings. If, however, there's no reputation, the item is marked as a higher risk and presents a warning to the user.
Operating system integration. Microsoft Defender SmartScreen is integrated into the Windows 10 operating system, meaning that it checks any files an app (including 3rd-party browsers and email clients) attempts to download and run.
Improved heuristics and diagnostic data. Microsoft Defender SmartScreen is constantly learning and endeavoring to stay up-to-date, so it can help to protect you against potentially malicious sites and files.
Management through Group Policy and Microsoft Intune. Microsoft Defender SmartScreen supports using both Group Policy and Microsoft Intune settings. For more info about all available settings, see Available Microsoft Defender SmartScreen Group Policy and mobile device management (MDM) settings. Free download bittorrent software for windows 7 32 bit.
Blocking URLs associated with potentially unwanted applications. In Microsoft Edge (based on Chromium), SmartScreen blocks URLs associated with potentially unwanted applications, or PUAs. For more information on blocking URLs associated with PUAs, see Detect and block potentially unwanted applications.
Important
Reinstall Windows Defender Windows 10SmartScreen protects against malicious files from the internet. It does not protect against malicious files on internal locations or network shares, such as shared folders with UNC paths or SMB/CIFS shares.
Submit files to Microsoft Defender SmartScreen for reviewIf you believe a warning or block was incorrectly shown for a file or application, or if you believe an undetected file is malware, you can submit a file to Microsoft for review. For more info, see Submit files for analysis.
When submitting Microsoft Defender Smartscreen products, make sure to select Microsoft Defender SmartScreen from the product menu.
Viewing Microsoft Defender SmartScreen anti-phishing eventsNote
No Smartscreen events will be logged when using Microsoft Edge version 77 or later.
When Microsoft Defender SmartScreen warns or blocks a user from a website, it's logged as Event 1035 - Anti-Phishing.
Viewing Windows event logs for Microsoft Defender SmartScreenMicrosoft Defender SmartScreen events appear in the Microsoft-Windows-SmartScreen/Debug log in Event Viewer.
Windows event log for SmartScreen is disabled by default, users can use Event Viewer UI to enable the log or use the command line to enable it:
Note
For information on how to use the Event Viewer, see Windows Event Viewer.
EventIDDescription
1000Application Windows Defender SmartScreen Event
1001Uri Windows Defender SmartScreen Event
1002User Decision Windows Defender SmartScreen Event
Related topics

EventID	Description
1000	Application Windows Defender SmartScreen Event
1001	Uri Windows Defender SmartScreen Event
1002	User Decision Windows Defender SmartScreen Event