Microsoft Defender Antivirus updates - Previous versions for technical upgrade support only

Applies to:

Microsoft regularly releases security intelligence updates and product updates for Microsoft Defender Antivirus. It's important to keep Microsoft Defender Antivirus up to date. When a new package version is released, support for the previous two versions reduces to technical support only. Versions that are older than the previous two versions are listed in this article and are provided for technical upgrade support only.

Engine and platform updates

June-2024 (Platform: 4.18.24060.7 | Engine: 1.1.24060.5)

  • Security intelligence update version: 1.415.1.0
  • Release date: July 9, 2024 (Engine) / July 15, 2024 (Platform)
  • Platform: 4.18.24060.7
  • Engine: 1.1.24060.5
  • Support phase: Technical upgrade support (only)

What's new

  • Fixed issue where Microsoft Defender Antivirus was not properly changing state when non-Microsoft antivirus/antimalware software was installed and Windows Defender Application Control (WDAC) with Intelligent Security Graph were enabled.
  • Fixed deadlock issue on VDI that occurred when loading corrupted update files from UNC share.
  • Custom scans started with Start-MpScan are now reported in the event log.
  • Fixed potential deadlock that occurred on volume mount scanning.
  • Fixed issue where Microsoft Defender Antivirus did not allow applications to clean up temporary files.
  • Fixed potentially packet loss due to network protection shutdown that could lead to deadlock.
  • Implemented performance improvements for scenarios where WDAC is enabled with Intelligent Security Graph.
  • Fixed an issue where an Outlook exclusion for the ASR rule Block Office applications from injecting code into other processes was not honored.
  • Fixed a race condition during the startup of endpoint data loss prevention such that, in certain environments, some system files could be corrupted.

May-2024 (Engine: 1.1.24050.5 | Platform: 4.18.24050.7)

  • Security intelligence update version: 1.413.1.0
  • Release date: May 30, 2024 (Engine) / June 4, 2024 (Platform)
  • Engine: 1.1.24050.5
  • Platform: 4.18.24050.7
  • Support phase: Technical upgrade support (only)

What's new

  • Improved performance when running configuration queries.
  • Optimized how scans are prioritized.
  • Fixed a crash caused by a race condition with a device control driver.
  • Added Event Viewer Logging for scan start event where the scan originates from PowerShell.

April-2024 (Engine: 1.1.24040.1 | Platform: 4.18.24040.4)

  • Security intelligence update version: 1.411.7.0
  • Release date: May 07, 2024 (Engine) / May 16, 2024 (Platform)
  • Engine: 1.1.24040.1
  • Platform: 4.18.24040.4
  • Support phase: Technical upgrade support (only)

What's new

  • Added an opt-out feature for Experimental Configuration Services (ECS) and One collector in the Core Service.
  • Fixed an issue where occasionally exclusions deployed via Intune were not being honored when tamper protection was enabled.
  • After a new engine version is released, support for older versions (N-2) will now reduce to technical support only. Engine versions older than N-2 are no longer supported.
  • Improved health monitoring and telemetry for attack surface rules exclusions.
  • Updated inaccurate information in Configure exclusions for files opened by processes regarding wildcard usage with contextual exclusions.

March-2024 (Engine: 1.1.24030.4 | Platform: 4.18.24030.9)

  • Security intelligence update version: 1.409.1.0
  • Release date: April 2, 2024 (Engine) / April 9, 2024 (Platform)
  • Engine: 1.1.24030.4
  • Platform: 4.18.24030.9
  • Support phase: Technical upgrade support (only)

What's new

  • Added manageability settings to opt out for One Collector telemetry channel and Experimentation and Configuration Service (ECS).
  • Microsoft Defender Core Service will be disabled when 3rd party Antivirus is installed (except when Defender for Endpoint is running in Passive mode).
  • The known issue in 4.18.24020.7 where enforcement of device level access policies wasn't working as expected no longer occurs.
  • Fixed high CPU issue caused by redetection done during Sense originating scans.
  • Fixed an issue with Security Intelligence Update disk cleanup.
  • Fixed an issue where the Signature date information on the Security Health report wasn't accurate.
  • Introduced performance improvements when processing paths for exclusions.
  • Added improvements to allow recovering from erroneously added Indicators of compromise (IoC).
  • Improved resilience in processing attack surface reduction exclusions for Anti Malware Scan Interface (AMSI) scans.
  • Fixed a high memory issue related to the Behavior Monitoring queue that occurred when MAPS is disabled.
  • A possible deadlock when receiving a Tamper protection configuration change from the Microsoft Defender portal no longer occurs.

February-2024 (Engine: 1.1.24020.9 | Platform: 4.18.24020.7)

  • Security intelligence update version: 1.407.46.0
  • Release date: March 6, 2024 (Engine) / March 12, 2024 (Platform)
  • Engine: 1.1.24020.9
  • Platform: 4.18.24020.7
  • Support phase: Technical upgrade support (only)

What's new

Known issues

  • For device control customers using removable media policies with disk/device-level access only (masks that include the values 1, 2, 3, 4, and 7), enforcement might not work as expected. In such situations, we recommend customers roll back to the previous version of the Defender platform.

January-2024 (Platform: 4.18.24010.12 | Engine: 1.1.24010.10)

  • Security intelligence update version: 1.405.702.0
  • Release date: February 27, 2024
  • Platform: 4.18.24010.12
  • Engine: 1.1.24010.10
  • Support phase: Technical upgrade support (only)

What's new

  • Microsoft Defender Antivirus now caches the Mark of the Web (MoTW) Alternative Data Stream (ADS) for better performance while scanning.
  • Fixed an issue that occurred in attack surface reduction in warn mode when removing scan results from the real-time protection cache.
  • Performance improvement added for OneNote.exe.
  • Cloud-based entries are regularly removed from the persistent user mode cache in Windows Defender to prevent an uncommon issue where a user could still add a certificate, based on an Indicator of compromise (IoC), to the cache after a file with that certificate had already been added via cloud signature.
  • The Sense onboarding event is now sent in passive mode for operating systems with the old Sense client.
  • Improved performance for logs created/accessed by powershell.
  • Improved performance for folders included in Controlled folder access(CFA) when accessing network files.
  • Fixed a deadlock that occurred at shutdown for Data Loss Prevention (DLP) enabled devices.
  • Fixed an issue to remove a vulnerability in the Microsoft Defender Core service.
  • Fixed an onboarding issue in the Unified Agent installation script install.ps1.
  • Fixed a memory leak that impacted some devices that received platform update 4.18.24010.7

November-2023 (Platform: 4.18.23110.3 | Engine: 1.1.23110.2)

  • Security intelligence update version: 1.403.7.0
  • Release date: December 5, 2023 (Platform) / December 6, 2023 (Engine)
  • Platform: 4.18.23110.3
  • Engine: 1.1.23110.2
  • Support phase: Technical upgrade support (only)

What's new

Known issues

  • None

October-2023 (Platform: 4.18.23100.2009 | Engine: 1.1.23100.2009)

  • Security intelligence update version: 1.401.3.0
  • Release date: November 3, 2023 (Engine) / November 6, 2023 (Platform)
  • Platform: 4.18.23100.2009
  • Engine: 1.1.23100.2009
  • Support phase: Technical upgrade support (only)

What's new

Known issues

  • None

September-2023 (Platform: 4.18.23090.2008 | Engine: 1.1.23090.2007)

  • Security intelligence update version: 1.399.44.0
  • Release date: October 3, 2023 (Engine) | October 4, 2023 (Platform)
  • Platform: 4.18.23090.2008
  • Engine: 1.1.23090.2007
  • Support phase: Technical upgrade support (only)

What's new

  • Fixed automatic remediation during on demand scans involving archives with multiple threats
  • Improved the performance of scanning files on network locations
  • Added support for domain computer SID for device control policies
  • Improved installer of unified agent to include legacy version of Windows Server 2012 (6.3.9600.17735)
  • Fixed issue in device control when querying Microsoft Entra group membership, which resulted in increased network traffic.
  • Improved parsing of attack surface reduction exclusions in the antimalware engine
  • Improved reliability in scanning PE files
  • Improved deployments safeguards for security intelligence updates

Known issues

  • None

August-2023 (Platform: 4.18.23080.2006 | Engine: 1.1.23080.2005)

  • Security intelligence update version: 1.397.59.0
  • Released: August 30, 2023 (Platform and Engine)
  • Platform: 4.18.23080.2006
  • Engine: 1.1.23080.2005
  • Support phase: Technical upgrade support (only)

What's new

Known issues

  • None

July-2023 (Platform: 4.18.23070.1004 | Engine: 1.1.23070.1005)

  • Security intelligence update version: 1.395.30.0
  • Released: August 9, 2023 (Engine and Platform)
  • Platform: 4.18.23070.1004
  • Engine: 1.1.23070.1005
  • Support phase: Technical upgrade support (only)

What's new

Known issues

  • None

May-2023 UPDATE (Platform: 4.18.23050.9)

Microsoft has released a platform update (4.18.23050.9) for the May 2023 release.

  • Security intelligence update version: 1.393.1315.0
  • Released: July 24, 2023 (Platform only)
  • Platform: 4.18.23050.9
  • Engine: 1.1.23060.1005
  • Support phase: Technical upgrade support (only)

What's new

  • Fixed a regression where HTTP requests were being handled sequentially, causing high latency for network protection scenarios
  • Fixed a bug where DNS requests with empty authority records were being improperly parsed

June-2023 (Engine: 1.1.23060.1005)

  • Security intelligence update version: 1.393.71.0
  • Released: July 10, 2023 (Engine only)
  • Engine: 1.1.23060.1005
  • Support phase: Technical upgrade support (only)

What's new

  • Fixed an issue with ASR rules deployed via Intune to display accurately in the Microsoft Defender portal
  • Fixed a performance issue when building and validating the Microsoft Defender Antivirus cache
  • Improved performance by removing redundant exclusion checks

Known Issues

May-2023 UPDATE (Platform: 4.18.23050.5 | Engine: 1.1.23050.2)

Microsoft released a platform update (4.18.23050.5) for the May 2023 release, followed by an additional update.

  • Security intelligence update version: 1.391.860.0
  • Released: June 12, 2023
  • Platform: 4.18.23050.5
  • Engine: 1.1.23050.2
  • Support phase: Technical upgrade support (only)

What's new

  • Fixed issue that could lead to resolution of incorrect service endpoint

Known Issues

May-2023 (Platform: 4.18.23050.3 | Engine: 1.1.23050.2)

  • Security intelligence update version: 1.391.64.0
  • Released: May 31, 2023
  • Platform: 4.18.23050.3
  • Engine: 1.1.23050.2
  • Support phase: Technical upgrade support (only)

What's new

  • New version format for Platform and Engine (see the April-2023 update)
  • Improved processing of SmartLockerMode
  • Fixed input parameters for DefinitionUpdateChannel cmdlet in Set-MpPreference
  • Improved installation experience for Windows Server 2012 R2 and Windows Server 2016
  • Added ability to disable Defender task maintenance tasks programmatically
  • Fixed WDFilter 0x50 bug check
  • Fixed print enforcement issue for device control
  • Fixed scan randomization issue when setting Intune policy
  • Fixed sense offboarding on Windows Server 2016 when tamper protection is enabled
  • Fixed inconsistent results of caching files with the internal Defender file cache
  • Augmented attack surface reduction telemetry with more data related to an ASR detection
  • Removed Image File Execution Options (IFEO) debugger value during installation, which can be used to prevent service starts
  • Fixed memory leaked in ASR logic
  • Improved validation guard-rail for Malicious Software Removal Tool (MSRT) releases

Known Issues

  • Potential issue that could lead to resolution of incorrect service endpoint

April-2023 (Platform: 4.18.2304.8 | Engine: 1.1.20300.3)

  • Security intelligence update version: 1.387.2997.0
  • Release date: May 2, 2023 (Engine) / May 2, 2023 (Platform)
  • Platform: 4.18.2304.8
  • Engine: 1.1.20300.3
  • Support phase: Technical upgrade support (only)

What's new

  • Beginning in May 2023, the Platform and Engine version schema have a new format. Here's what the new version format looks like:
    • Platform: 4.18.23050.1
    • Engine: 1.1.23050.63000
  • Fixed memory leak in behavior monitoring
  • Improved resiliency of signature loading and platform updates
  • Quarantine and restore support for WMI
  • Fixed attack surface reduction rule output with Get-MpPreference
  • Fixed MSERT to only use release engine version
  • Improved the enforcement of exclusions
  • Added support for enabling real-time protection and signature updates during OOBE
  • Fixed localization for Defender events
  • Deprecated real-time signature delivery setting
  • Updated missing setting (ValidateMapsConnection) in MpCmdRun.exe
  • Fixed abandoned threats in the Windows Security app
  • Fixed a service-hang issue that caused invalid outputs to display in Get-MpComputerStatus

Known issues

  • None

March-2023 (Platform: 4.18.2303.8 | Engine: 1.1.20200.4)

  • Security intelligence update version: 1.387.695.0
  • Release date: April 4, 2023 (Engine) / April 11, 2023 (Platform)
  • Platform: 4.18.2303.8
  • Engine: 1.1.20200.4
  • Support phase: Technical upgrade support (only)

What's new

  • Beginning in April 2023, monthly platform and engine version release information (in this article) now includes two dates: Engine and Platform
  • Increased file hash support
  • Added support to protect registry keys against parent keys abuse
  • Improved tamper protection of registry keys against parent keys abuse
  • Improved log handling for DLP and Device Control
  • Improved performance on developer drives

Known issues

  • None

February-2023 (Platform: 4.18.2302.7 | Engine: 1.1.20100.6)

  • Security intelligence update version: 1.385.68.0
  • Release date: March 27, 2023
  • Platform: 4.18.2302.7
  • Engine: 1.1.20100.6
  • Support phase: Technical upgrade support (only)

What's new

  • Fixed attack surface reduction rule output with Get-MpPreference
  • Fixed threat DefaultAction outputs in Get-MpPreference
  • Improved Defender performance during file copy operations for .NET applications
  • Fixed Microsoft Defender Vulnerability Management app block warn feature
  • Added opt-in feature to allow users seeing exclusions
  • Fixed ASR warn policy
  • Increased maximum size for quarantine archive file to 4 GB
  • Improvements to threat remediation logic
  • Improved tamper protection hardening for temporary exclusions
  • Fixed time zone calculation in Defender PowerShell module
  • Fixed merging logic for exclusions in Defender PowerShell module
  • Improvements in the contextual exclusions syntax
  • Improved scheduled scan robustness
  • Improved serviceability for internal database files
  • Enhanced certificate indicators determination logic
  • Enhanced memory usage

Known Issues

  • None

January-2023 (Platform: 4.18.2301.6 | Engine: 1.1.20000.2)

  • Security intelligence update version: 1.383.26.0
  • Release date: February 14, 2023
  • Platform: 4.18.2301.6
  • Engine: 1.1.20000.2
  • Support phase: Technical upgrade support (only)

What's new

  • Improved ASR rule processing logic
  • Updated Sense token hardening
  • Improved Defender CSP module update channel logic

Known Issues

  • None

November-2022 (Platform: 4.18.2211.5 | Engine: 1.1.19900.2)

  • Security intelligence update version: 1.381.144.0
  • Release date: December 8, 2022
  • Platform: 4.18.2211.5
  • Engine: 1.1.19900.2
  • Support phase: Technical upgrade support (only)

What's new

  • Enhanced threat protection capabilities
  • Improved tamper protection capabilities
  • Enhanced enabling of tamper protection for newly onboarded devices
  • Improved reporting for cloud protection
  • Improved controlled folder access notifications
  • Improved scanning of network shares
  • Enhanced processing of host files containing a wild card
  • Improved performance for scan events

Known Issues

  • None

October-2022 (Platform: 4.18.2210.6 | Engine: 1.1.19800.4)

  • Security intelligence update version: 1.379.4.0
  • Release date: November 10, 2022
  • Platform: 4.18.2210.6
  • Engine: 1.1.19800.4
  • Support phase: Technical upgrade support (only)

What's new

  • Addressed a quality issue that could result in poor responsiveness/usability
  • Improved hang detection in antivirus engine
  • Improved tamper protection capability
  • Changed threat & vulnerability management (TVM)-warn and TVM-block action to block to resolve Intune's report
  • Removed Clean Action from Intune policy for ThreadSeverityDefaultAction
  • Added randomize scheduled task times configuration to Intune policy
  • Added manageability for DisableSMTPParsing network protection
  • Added improvement for behavior monitoring
  • Normalized date format for event 1151 for Windows Defender
  • Fixed a deadlock related to updating \device\cdrom* exclusions upon mounting a cdrom drive under certain conditions
  • Improved PID information for threat detection

Known Issues

  • None

September-2022 (Platform: 4.18.2209.7 | Engine: 1.1.19700.3)

  • Security intelligence update version: 1.377.8.0
  • Release date: October 10, 2022
  • Platform: 4.18.2209.7
  • Engine: 1.1.19700.3
  • Support phase: Technical upgrade support (only)

What's new

  • Improved processing of Defender fallback order on Server SKU
  • Fixed Defender updates during OOBE process
  • Fixed Trusted Installer security descriptor vulnerability
  • Fixed Microsoft Defender Antivirus exclusions visibility
  • Fixed output of fallback order of the PowerShell cmdlet
  • Fixed Defender Platform update failure on Server Core 2019 SKUs
  • Improved hardening support for Defender disablement configurations on Server SKUs
  • Improved Defender configuration logics for tamper protection on servers
  • Improved WARN mode for ASR rule
  • Improved certificate handling of OSX
  • Improved logging for scanning FilesStash location
  • Beginning with platform version 4.18.2208.0 and later: If a server has been onboarded to Microsoft Defender for Endpoint, the "Turn off Windows Defender" group policy setting will no longer completely disable Windows Defender Antivirus on Windows Server 2012 R2 and later operating systems. Instead, it is either ignored (if ForceDefenderPassiveMode is configured explicitly) or it places Microsoft Defender Antivirus into passive mode (if ForceDefenderPassiveMode isn't configured). Moreover, tamper protection allows a switch to active mode via changing ForceDefenderPassiveMode to 0, but not to passive mode. These changes apply only to servers onboarded to Microsoft Defender for Endpoint. For more information, please refer to Microsoft Defender Antivirus compatibility with other security products

Known Issues

  • Some customers might have received platform updates 4.18.2209.2 from preview. It can cause the service to get stuck at the start state after the update.

August-2022 (Platform: 4.18.2207.7 | Engine: 1.1.19600.3)

  • Security intelligence update version: 1.373.1647.0
  • Release date: September 6, 2022
  • Platform: 4.18.2207.7
  • Engine: 1.1.19600.3
  • Support phase: Technical upgrade support (only)

What's new

  • Starting with platform version 4.18.2207.7, the default behavior of dynamic signature expiration reporting changes to reduce potential 2011 event notification flooding. See: Event ID: 2011 in Review event logs and error codes to troubleshoot issues with Microsoft Defender Antivirus
  • Fixed Unified agent installer issues on WS2012R2 Server and Windows Server 2016
  • Fixed remediation issue for custom detection
  • Fixed Race condition related to behavior monitoring
  • Resolved multiple deadlock scenarios in Defender dlls
  • Improved frequency of Windows toasts notification for ASR rules

Known Issues

  • None

July-2022 (Platform: 4.18.2207.5 | Engine: 1.1.19500.2)

  • Security intelligence update version: 1.373.219.0
  • Release date: August 15, 2022
  • Platform: 4.18.2207.5
  • Engine: 1.1.19500.2
  • Support phase: Technical upgrade support (only)

What's new

Known Issues

  • Customers deploying platform update 4.18.2207.5 might experience lagging network performance that could impact applications.

May-2022 (Platform: 4.18.2205.7 | Engine: 1.1.19300.2)

  • Security intelligence update version: 1.369.88.0
  • Released: June 22, 2022
  • Platform: 4.18.2205.7
  • Engine: 1.1.19300.2
  • Support phase: Technical upgrade support (only)

What's new

  • Added fix for ETW channel configuration for updates
  • Added support for contextual exclusions allowing more specific exclusion targeting
  • Fixed context maximum size
  • Added fix for ASR LSASS detection
  • Added fix to SHSetKnownFolder for rule exclusion logic
  • Added AMSI disk usage limits for The History Store
  • Added fix for Defender service refusing to accept signature updates

Known issues

  • None

March-2022 UPDATE (Platform: 4.18.2203.5 | Engine: 1.1.19200.5)

Customers who applied the March 2022 Microsoft Defender engine update (1.1.19100.5) might have encountered high resource utilization (CPU and/or memory). Microsoft has released an update (1.1.19200.5) that resolves the bugs introduced in the earlier version. Customers are recommended to update to at least this new engine build of Antivirus Engine (1.1.19200.5). To ensure any performance issues are fully fixed, it's recommended to reboot machines after applying update.

  • Security intelligence update version: 1.363.817.0
  • Released: April 22, 2022
  • Platform: 4.18.2203.5
  • Engine: 1.1.19200.5
  • Support phase: Technical upgrade support (only)

What's new

  • Resolves issues with high resource utilization (CPU and/or memory) related to the earlier March 2022 Microsoft Defender engine update (1.1.19100.5)

Known issues

  • None

March-2022 (Platform: 4.18.2203.5 | Engine: 1.1.19100.5)

  • Security intelligence update version: 1.361.1449.0
  • Released: April 7, 2022
  • Platform: 4.18.2203.5
  • Engine: 1.1.19100.5
  • Support phase: Technical upgrade support (only)

What's new

Known issues

  • Potential for high resource utilization (CPU and/or memory). See the Platform 4.18.2203.5 and Engine 1.1.19200.5 update for March 2022.

February-2022 (Platform: 4.18.2202.4 | Engine: 1.1.19000.8)

  • Security intelligence update version: 1.361.14.0
  • Released: March 14, 2022
  • Platform: 4.18.2202.4
  • Engine: 1.1.19000.8
  • Support phase: Technical upgrade support (only)

What's new

  • Improvements to detection and behavior monitoring logic
  • Fixed false positive triggering attack surface reduction detections
  • Added fix resulting in better fidelity of EDR and Advanced Hunting detection alerts
  • Defender no longer supports custom notifications on toast pop ups. Modified GPO/Intune/SCCM and docs to reflect this change.
  • Improvements to capture both information and copy of files written to removable storage.
  • Improved traffic output when SmartScreen service is unreachable
  • Connectivity improvements for customers using proxies with authentication requirements
  • Fixed VDI device update bug for network FileShares
  • EDR in block mode now supports granular device targeting with new CSPs. See Endpoint detection and response (EDR) in block mode.

Known issues

  • None

January-2022 (Platform: 4.18.2201.10 | Engine: 1.1.18900.2)

  • Security intelligence update version: 1.357.8.0
  • Released: February 9, 2022
  • Platform: 4.18.2201.10
  • Engine: 1.1.18900.2
  • Support phase: Technical upgrade support (only)

What's new

  • Behavior monitoring improvements in filtering performance
  • Hardening to TrustedInstaller
  • Tamper protection improvements
  • Replaced ScanScheduleTime with new ScanScheduleOffest cmdlet in Set-MpPreference. This policy configures the number of minutes after midnight to perform a scheduled scan.
  • Added the -ServiceHealthReportInterval setting to Set-MpPreference. This policy configures the time interval (in minutes) to perform a scheduled scan.
  • Added the AllowSwitchToAsyncInspection setting to Set-MpPreference. This policy enables a performance optimization that allows synchronously inspected network flows to switch to async inspection once they've been checked and validated.
  • Performance Analyzer v2 updates: Remote PowerShell and PowerShell 7.x support added. See Performance analyzer for Microsoft Defender Antivirus.
  • Fixed potential duplicate packet bug in Microsoft Defender Antivirus network inspection system driver.

Known issues

  • None

November-2021 (Platform: 4.18.2111.5 | Engine: 1.1.18800.4)

  • Security intelligence update version: 1.355.2.0
  • Released: December 9th, 2021
  • Platform: 4.18.2111.5
  • Engine: 1.1.18800.4
  • Support phase: Technical upgrade support (only)

What's new

  • Improved CPU usage efficiency of certain intensive scenarios on Exchange servers
  • Added new device control status fields under Get-MpComputerStatus in Defender PowerShell module.
  • Fixed bug in which SharedSignatureRoot value couldn't be removed when set with PowerShell
  • Fixed bug in which tamper protection failed to be enabled, even though Microsoft Defender for Endpoint indicated that tamper protection was turned on
  • Added supportability and bug fixes to performance analyzer for Microsoft Defender Antivirus tool. For more information, see Performance analyzer for Microsoft Defender Antivirus.
    • PowerShell ISE support added for New-MpPerformanceRecording
    • Fixed bug errors for Get-MpPerformanceReport -TopFilesPerProcess
    • Fixed performance recording session leak when using New-MpPerformanceRecording in PowerShell 7.x, remote sessions, and PowerShell ISE

Known issues

  • None

October-2021 (Platform: 4.18.2110.6 | Engine: 1.1.18700.4)

  • Security intelligence update version: 1.353.3.0
  • Released: October 28th, 2021
  • Platform: 4.18.2110.6
  • Engine: 1.1.18700.4
  • Support phase: Technical upgrade support (only)

What's new

  • Improvements to file transfer protocol (FTP) network traffic coverage
  • Fix to reduce Microsoft Defender CPU usage in Exchange Server running on Windows Server 2016
  • Fix for scan interruptions
  • Fix for alerts on blocked tampering attempts not appearing in Security Center
  • Improvements to tamper resilience in Microsoft Defender service

Known issues

  • None

September-2021 (Platform: 4.18.2109.6 | Engine: 1.1.18600.4)

  • Security intelligence update version: 1.351.7.0
  • Released: October 7th, 2021
  • Platform: 4.18.2109.6
  • Engine: 1.1.18600.4
  • Support phase: Technical upgrade support (only)

What's new

  • New delay ring for Microsoft Defender Antivirus engine and platform updates. Devices that opt into this ring receives updates with a 48-hour delay. The new delay ring is suggested for critical environments only. See Manage the gradual rollout process for Microsoft Defender updates.
  • Improvements to Microsoft Defender update gradual rollout process

Known issues

  • None

August-2021 (Platform: 4.18.2108.7 | Engine: 1.1.18500.10)

  • Security intelligence update version: 1.349.22.0
  • Released: September 2, 2021
  • Platform: 4.18.2108.7
  • Engine: 1.1.18500.10
  • Support phase: Technical upgrade support (only)

What's new

  • Improvements to the behavior monitoring engine
  • Released new performance analyzer for Microsoft Defender Antivirus
  • Microsoft Defender Antivirus hardened against loading malicious DLLs
  • Microsoft Defender Antivirus hardened against the TrustedInstaller bypass
  • Extending file change notifications to include more data for Human-Operated Ransomware (HumOR)

Known issues

  • None

July-2021 (Platform: 4.18.2107.4 | Engine: 1.1.18400.4)

  • Security intelligence update version: 1.345.13.0
  • Released: August 5, 2021
  • Platform: 4.18.2107.4
  • Engine: 1.1.18400.4
  • Support phase: Technical upgrade support (only)

What's new

  • Device control support added for Windows Portable Devices
  • Potentially unwanted applications (PUA) protection is turned on by default for consumers (See Block potentially unwanted applications with Microsoft Defender Antivirus.)
  • Scheduled scans for Group Policy Object managed systems adhere to user configured scan time
  • Improvements to the behavior monitoring engine

Known issues

  • None

June-2021 (Platform: 4.18.2106.5 | Engine: 1.1.18300.4)

  • Security intelligence update version: 1.343.17.0
  • Released: June 28, 2021
  • Platform: 4.18.2106.5
  • Engine: 1.1.18300.4
  • Support phase: Technical upgrade support (only)

What's new

Known issues

  • None

May-2021 (Platform: 4.18.2105.4 | Engine: 1.1.18200.4)

  • Security intelligence update version: 1.341.8.0
  • Released: June 3, 2021
  • Platform: 4.18.2105.4
  • Engine: 1.1.18200.4
  • Support phase: Technical upgrade support (only)

What's new

Known issues

  • None

April-2021 (Platform: 4.18.2104.14 | Engine: 1.1.18100.5)

  • Security intelligence update version: 1.337.2.0
  • Released: April 26, 2021 (Engine: 1.1.18100.6 released May 5, 2021)
  • Platform: 4.18.2104.14
  • Engine: 1.1.18100.5
  • Support phase: Technical upgrade support (only)

What's new

  • More behavior monitoring logic
  • Improved kernel mode key logger detection
  • Added new controls to manage the gradual rollout process for Microsoft Defender updates

Known issues

  • None

March-2021 (Platform: 4.18.2103.7 | Engine: 1.1.18000.5)

  • Security intelligence update version: 1.335.36.0
  • Released: April 2, 2021
  • Platform: 4.18.2103.7
  • Engine: 1.1.18000.5
  • Support phase: Technical upgrade support (only)

What's new

  • Improvement to the Behavior Monitoring engine
  • Expanded network brute-force-attack mitigations
  • More failed tampering attempt event generation when Tamper Protection is enabled

Known issues

  • None

February-2021 (Platform: 4.18.2102.3 | Engine: 1.1.17900.7)

  • Security intelligence update version: 1.333.7.0
  • Released: March 9, 2021
  • Platform: 4.18.2102.3
  • Engine: 1.1.17900.7
  • Support phase: Technical upgrade support (only)

What's new

Known issues

  • None

January-2021 (Platform: 4.18.2101.9 | Engine: 1.1.17800.5)

  • Security intelligence update version: 1.327.1854.0
  • Released: February 2, 2021
  • Platform: 4.18.2101.9
  • Engine: 1.1.17800.5
  • Support phase: Technical upgrade support (only)

What's new

  • Shellcode exploit detection improvements
  • Increased visibility for credential stealing attempts
  • Improvements in antitampering features in Microsoft Defender Antivirus services
  • Improved support for ARM x64 emulation
  • Fix: EDR Block notification remains in threat history after real-time protection performed initial detection

Known issues

  • None

November-2020 (Platform: 4.18.2011.6 | Engine: 1.1.17700.4)

  • Security intelligence update version: 1.327.1854.0
  • Released: December 03, 2020
  • Platform: 4.18.2011.6
  • Engine: 1.1.17700.4
  • Support phase: Technical upgrade support (only)

What's new

Known issues

  • None

October-2020 (Platform: 4.18.2010.7 | Engine: 1.1.17600.5)

  • Security intelligence update version: 1.327.7.0
  • Released: October 29, 2020
  • Platform: 4.18.2010.7
  • Engine: 1.1.17600.5
  • Support phase: Technical upgrade support (only)

What's new

  • New descriptions for special threat categories
  • Improved emulation capabilities
  • Improved host address allow/block capabilities
  • New option in Defender CSP to Ignore merging of local user exclusions

Known issues

  • None

September-2020 (Platform: 4.18.2009.7 | Engine: 1.1.17500.4)

  • Security intelligence update version: 1.325.10.0
  • Released: October 01, 2020
  • Platform: 4.18.2009.7
  • Engine: 1.1.17500.4
  • Support phase: Technical upgrade support (only)

What's new

  • Admin permissions are required to restore files in quarantine
  • XML formatted events are now supported
  • CSP support for ignoring exclusion merges
  • New management interfaces for:
    • UDP Inspection
    • Network Protection on Server 2019
    • IP Address exclusions for Network Protection
  • Improved visibility into TPM measurements
  • Improved Office VBA module scanning

Known issues

  • None

August-2020 (Platform: 4.18.2008.9 | Engine: 1.1.17400.5)

  • Security intelligence update version: 1.323.9.0
  • Released: August 27, 2020
  • Platform: 4.18.2008.9
  • Engine: 1.1.17400.5
  • Support phase: Technical upgrade support (only)

What's new

  • Add more telemetry events
  • Improved scan event telemetry
  • Improved behavior monitoring for memory scans
  • Improved macro streams scanning
  • Added AMRunningMode to Get-MpComputerStatus PowerShell cmdlet
  • DisableAntiSpyware is ignored. Microsoft Defender Antivirus automatically turns itself off when it detects another antivirus program.

Known issues

  • None

July-2020 (Platform: 4.18.2007.8 | Engine: 1.1.17300.4)

  • Security intelligence update version: 1.321.30.0
  • Released: July 28, 2020
  • Platform: 4.18.2007.8
  • Engine: 1.1.17300.4
  • Support phase: Technical upgrade support (only)

What's new

  • Improved telemetry for BITS
  • Improved Authenticode code signing certificate validation

Known issues

  • None

June-2020 (Platform: 4.18.2006.10 | Engine: 1.1.17200.2)

  • Security intelligence update version: 1.319.20.0
  • Released: June 22, 2020
  • Platform: 4.18.2006.10
  • Engine: 1.1.17200.2
  • Support phase: Technical upgrade support (only)

What's new

  • Possibility to specify the location of the support logs
  • Skipping aggressive catchup scan in Passive mode.
  • Allow Defender to update on metered connections
  • Fixed performance tuning when caching is disabled
  • Fixed registry query
  • Fixed scantime randomization in ADMX

Known issues

  • None

May-2020 (Platform: 4.18.2005.4 | Engine: 1.1.17100.2)

  • Security intelligence update version: 1.317.20.0
  • Released: May 26, 2020
  • Platform: 4.18.2005.4
  • Engine: 1.1.17100.2
  • Support phase: Technical upgrade support (only)

What's new

  • Improved logging for scan events
  • Improved user mode crash handling.
  • Added event tracing for Tamper protection
  • Fixed AMSI Sample submission
  • Fixed AMSI Cloud blocking
  • Fixed Security update install log

Known issues

  • None

April-2020 (Platform: 4.18.2004.6 | Engine: 1.1.17000.2)

  • Security intelligence update version: 1.315.12.0
  • Released: April 30, 2020
  • Platform: 4.18.2004.6
  • Engine: 1.1.17000.2
  • Support phase: Technical upgrade support (only)

What's new

  • WDfilter improvements
  • Add more actionable event data to attack surface reduction detection events
  • Fixed version information in diagnostic data and WMI
  • Fixed incorrect platform version in UI after platform update
  • Dynamic URL intel for Fileless threat protection
  • UEFI scan capability
  • Extend logging for updates

Known issues

  • None

March-2020 (Platform: 4.18.2003.8 | Engine: 1.1.16900.2)

  • Security intelligence update version: 1.313.8.0
  • Released: March 24, 2020
  • Platform: 4.18.2003.8
  • Engine: 1.1.16900.4
  • Support phase: Technical upgrade support (only)

What's new

  • CPU Throttling option added to MpCmdRun
  • Improve diagnostic capability
  • reduce Security intelligence timeout (5 min)
  • Extend AMSI engine internal log capability
  • Improve notification for process blocking

Known issues

  • [Fixed] Microsoft Defender Antivirus is skipping files when running a scan.

February-2020 (Platform: - | Engine: 1.1.16800.2)

  • Security intelligence update version: 1.311.4.0
  • Released: February 25, 2020
  • Platform/Client: -
  • Engine: 1.1.16800.2
  • Support phase: Technical upgrade support (only)

What's new

  • None

Known issues

  • None

January-2020 (Platform: 4.18.2001.10 | Engine: 1.1.16700.2)

  • Security intelligence update version: 1.309.32.0
  • Released: January 30, 2020
  • Platform/Client: 4.18.2001.10
  • Engine: 1.1.16700.2
  • Support phase: Technical upgrade support (only)

What's new

  • Fixed BSOD on WS2016 with Exchange
  • Support platform updates when TMP is redirected to network path
  • Platform and engine versions are added to WDSI
  • extend Emergency signature update to passive mode
  • Fix 4.18.1911.3 hang

Known issues

  • [Fixed] devices utilizing modern standby mode may experience a hang with the Windows Defender filter driver that results in a gap of protection. Affected machines appear to the customer as having not updated to the latest antimalware platform.

Important

This update is:

  • needed by RS1 devices running lower version of the platform to support SHA2;
  • has a reboot flag for systems that have hanging issues;
  • is re-released in April 2020 and will not be superseded by newer updates to keep future availability;
  • is categorized as an update due to the reboot requirement; and
  • is only be offered with Windows Update.

November-2019 (Platform: 4.18.1911.3 | Engine: 1.1.16600.7)

  • Security intelligence update version: 1.307.13.0
  • Released: December 7, 2019
  • Platform: 4.18.1911.3
  • Engine: 1.1.17000.7
  • Support phase: No support

What's new

  • Fixed MpCmdRun tracing level
  • Fixed WDFilter version info
  • Improve notifications (PUA)
  • add MRT logs to support files

Known issues

  • When this update is installed, the device needs the jump package 4.18.2001.10 to be able to update to the latest platform version.

Previous DISM updates (no longer supported)

The versions listed in this section are no longer supported. To view current versions, see Updates for Deployment Image Servicing and Management (DISM).

1.411.111.0

  • Defender package version: 1.411.111.0
  • Security intelligence version: 1.411.111.0
  • Engine version: 1.24050.2
  • Platform version: 4.18.24050.7

Fixes

  • None

Additional information

  • None

1.411.9.0

  • Defender package version: 1.411.9.0
  • Security intelligence version: 1.411.9.0
  • Engine version: 1.24040.1
  • Platform version: 4.18.24040.4

Fixes

  • None

Additional information

  • None

20230809.1

  • Defender package version: 20230809.1
  • Security intelligence version: 1.395.68.0
  • Engine version: 1.1.23070.1005
  • Platform version: 4.18.23070.1004

Fixes

  • None

20230604.1

  • Defender package version: 20230604.1
  • Security intelligence version: 1.391.476.0
  • Engine version: 1.1.23050.3
  • Platform version: 4.18.23050.3

Fixes

  • None

20230503.1

  • Defender package version: 20230503.1
  • Security intelligence version: 1.389.44.0
  • Engine version: 1.1.20300.3
  • Platform version: 4.18.2304.8

Fixes

  • None

Additional information

  • None

20230330.2

  • Defender package version: 20230330.2
  • Security intelligence version: 1.385.1537.0
  • Engine version: 1.1.20100.6
  • Platform version: 4.18.2302.7

Fixes

  • None

Additional information

  • None

20230308.1

  • Defender package version: 20230308.1
  • Security intelligence version: 1.383.1321.0
  • Engine version: 1.1.20000.2
  • Platform version: 4.18.2301.6

Fixes

  • None

Additional information

  • None

20230215.1

  • Defender package version: 20230215.1
  • Security intelligence version: 1.383.51.0
  • Engine version: 1.1.20000.2
  • Platform version: 4.18.2301.6

Fixes

  • None

Additional information

  • None

20230118.1

  • Defender package version: 20230118.1
  • Security intelligence version: 1.381.2404.0
  • Engine version: 1.1.19900.2
  • Platform version: 4.18.2211.5

Fixes

  • None

Additional information

  • None

20221209.1

  • Defender package version: 20221209.1
  • Security intelligence version: 1.381.144.0
  • Engine version: 1.1.19900.2
  • Platform version: 4.18.2211.5

Fixes

  • None

Additional information

  • None

20221102.3

  • Defender package version: 20221102.3
  • Security intelligence version: 1.377.1180.0
  • Engine version: 1.1.19700.3
  • Platform version: 4.18.2210.4

Fixes

  • None

Additional information

  • None

20221014.1

  • Package version: 20221014.1
  • Platform version: 4.18.2209.7
  • Engine version: 1.1.19700.3
  • Signature version: 1.373.208.0

Fixes

  • None

Additional information

  • None

20220929.1

  • Package version: 20220929.1
  • Platform version: 4.18.2207.7
  • Engine version: 1.1.19600.3
  • Signature version: 1.373.1243.0

Fixes

  • None

Additional information

  • None

20220925.2

  • Package version: 20220925.2
  • Platform version: 4.18.2207.7
  • Engine version: 1.1.19600.3
  • Signature version: 1.373.1371.0

Fixes

  • None

Additional information

  • None

20220901.4

  • Package version: 20220901.4
  • Platform version: 4.18.2205.7
  • Engine version: 1.1.19500.2
  • Signature version: 1.373.1371.0

Fixes

  • None

Additional information

  • None

20220802.1

  • Package version: 20220802.1
  • Platform version: 4.18.2205.7
  • Engine version: 1.1.19400.3
  • Signature version: 1.371.1205.0

Fixes

  • None

Additional information

  • None

20220629.5

  • Package version: 20220629.5
  • Platform version: 4.18.2205.7
  • Engine version: 1.1.19300.2
  • Signature version: 1.369.220.0

Fixes

  • None

Additional information

  • None

20220603.3

  • Package version: 20220603.3
  • Platform version: 4.18.2203.5
  • Engine version: 1.1.19200.6
  • Signature version: 1.367.1009.0

Fixes

  • None

Additional information

  • None

20220506.6

  • Package version: 20220506.6
  • Platform version: 4.18.2203.5
  • Engine version: 1.1.19200.5
  • Signature version: 1.363.1436.0

Fixes

  • None

Additional information

  • None

20220321.1

  • Package version: 20220321.1
  • Platform version: 4.18.2202.4
  • Engine version: 1.1.19000.8
  • Signature version: 1.351.337.0

Fixes

  • None

Additional information

  • None

20220305.1

  • Package version: 20220305.1
  • Platform version: 4.18.2201.10
  • Engine version: 1.1.18900.3
  • Signature version: 1.359.1405.0

Fixes

  • None

Additional information

  • None

20220203.1

  • Package version: 20220203.1
  • Platform version: 4.18.2111.5
  • Engine version: 1.1.18900.2
  • Signature version: 1.357.32.0

Fixes

  • None

Additional information

  • None

20220105.1

  • Package version: 20220105.1
  • Platform version: 4.18.2111.5
  • Engine version: 1.1.18800.4
  • Signature version: 1.355.1482.0

Fixes

  • None

Additional information

  • None

1.1.2112.01

  • Package version: 1.1.2112.01
  • Platform version: 4.18.2110.6
  • Engine version: 1.1.18700.4
  • Signature version: 1.353.2283.0

Fixes

  • None

Additional information

  • None

1.1.2111.02

  • Package version: 1.1.2111.02
  • Platform version: 4.18.2110.6
  • Engine version: 1.1.18700.4
  • Signature version: 1.353.613.0

Fixes

  • Fixed an issue pertaining to localization files

Additional information

  • None

1.1.2110.01

  • Package version: 1.1.2110.01
  • Platform version: 4.18.2109.6
  • Engine version: 1.1.18500.10
  • Signature version: 1.349.2103.0

Fixes

  • None

Additional information

  • None

1.1.2109.01

  • Package version: 1.1.2109.01
  • Platform version: 4.18.2107.4
  • Engine version: 1.1.18400.5
  • Signature version: 1.347.891.0

Fixes

  • None

Additional information

  • None

1.1.2108.01

  • Package version: 1.1.2108.01
  • Platform version: 4.18.2107.4
  • Engine version: 1.1.18300.4
  • Signature version: 1.343.2244.0

Fixes

  • None

Additional information

  • None

1.1.2107.02

  • Package version: 1.1.2107.02
  • Platform version: 4.18.2105.5
  • Engine version: 1.1.18300.4
  • Signature version: 1.343.658.0

Fixes

  • None

Additional information

  • None

1.1.2106.01

  • Package version: 1.1.2106.01
  • Platform version: 4.18.2104.14
  • Engine version: 1.1.18100.6
  • Signature version: 1.339.1923.0

Fixes

  • None

Additional information

  • None

1.1.2105.01

  • Package version: 1.1.2105.01
  • Platform version: 4.18.2103.7
  • Engine version: 1.1.18100.6
  • Signature version: 1.339.42.0

Fixes

  • None

Additional information

  • None

1.1.2104.01

  • Package version: 1.1.2104.01
  • Platform version: 4.18.2102.4
  • Engine version: 1.1.18000.5
  • Signature version: 1.335.232.0

Fixes

  • None

Additional information

  • None

1.1.2103.01

  • Package version: 1.1.2103.01
  • Platform version: 4.18.2101.9
  • Engine version: 1.1.17800.5
  • Signature version: 1.331.2302.0

Fixes

  • None

Additional information

  • None

1.1.2102.03

  • Package version: 1.1.2102.03
  • Platform version: 4.18.2011.6
  • Engine version: 1.1.17800.5
  • Signature version: 1.331.174.0

Fixes

  • None

Additional information

  • None

1.1.2101.02

  • Package version: 1.1.2101.02
  • Platform version: 4.18.2011.6
  • Engine version: 1.1.17700.4
  • Signature version: 1.329.1796.0

Fixes

  • None

Additional information

  • None

1.1.2012.01

  • Package version: 1.1.2012.01
  • Platform version: 4.18.2010.7
  • Engine version: 1.1.17600.5
  • Signature version: 1.327.1991.0

Fixes

  • None

Additional information

  • None

1.1.2011.02

  • Package version: 1.1.2011.02
  • Platform version: 4.18.2010.7
  • Engine version: 1.1.17600.5
  • Signature version: 1.327.658.0

Fixes

  • None

Additional information

  • Refreshed Microsoft Defender Antivirus signatures

1.1.2011.01

  • Package version: 1.1.2011.01
  • Platform version: 4.18.2009.7
  • Engine version: 1.1.17600.5
  • Signature version: 1.327.344.0

Fixes

  • None

Additional information

  • None

1.1.2009.10

  • Package version: 1.1.2011.01
  • Platform version: 4.18.2008.9
  • Engine version: 1.1.17400.5
  • Signature version: 1.327.2216.0

Fixes

  • None

Additional information

  • Added support for Windows 10 RS1 or later OS install images.

Tip

Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.