Microsoft Defender Antivirus updates - Previous versions for technical upgrade support only

Applies to:

• Microsoft Defender for Endpoint Plan 1
• Microsoft Defender for Endpoint Plan 2

Microsoft regularly releases security intelligence updates and product updates for Microsoft Defender Antivirus. It's important to keep Microsoft Defender Antivirus up to date. When a new package version is released, support for the previous two versions is reduced to technical support only. Versions that are older than the previous two versions are listed in this article and are provided for technical upgrade support only.

November-2023 (Platform: 4.18.23110.3 | Engine: 1.1.23110.2)

• Security intelligence update version: 1.403.7.0
• Release date: December 5, 2023 (Platform) / December 6, 2023 (Engine)
• Platform: 4.18.23110.3
• Engine: 1.1.23110.2
• Support phase: Technical upgrade support (only)

What's new

• Fixed PowerShell cmdlet Get-MpComputerStatus to show the correct date/time for AntivirusSignatureLastUpdated
• Resolved deadlock issue that occurred on systems with multiple filter drivers reading a file when the file is copied
• Added the InitializationProgress field to Get-MpComputerStatus output
• Fixed installation failure on Windows Server 2016 due to existing Defender EventLog registry key
• Added the ability to have quick scans ignore Microsoft Defender Antivirus exclusions
• Fixed remediation for long running on-demand scans where the service may have been restarted
• Fixed an issue with Microsoft Defender Vulnerability Management to allow the execution of a blocked application when the warn option is selected
• Added support for managing schedule day/time for signature updates in Intune and Defender for Endpoint security settings management
• Fixed non-standard signature path loading across platforms (Windows, Mac, Linux, Android, and iOS)
• Improved handling of cached detections in attack surface reduction capabilities
• Improved performance for enumerating virtual memory ranges

Known issues

• None

October-2023 (Platform: 4.18.23100.2009 | Engine: 1.1.23100.2009)

• Security intelligence update version: 1.401.3.0
• Release date: November 3, 2023 (Engine) / November 6, 2023 (Platform)
• Platform: 4.18.23100.2009
• Engine: 1.1.23100.2009
• Support phase: Technical upgrade support (only)

What's new

• Improved processing of environment variables in protected folders list for controlled folder access
• Improved performance of on-access scanning of files with Mark of the Web (MoTW)
• Added support for Active Directory device groups with device control
• Fixed an issue so that ASROnlyPerRuleExclusions don't apply during an engine reboot
• Microsoft Defender Core service overview is generally available for consumer devices and is coming soon for business customers.
• Fixed an issue with device control so that device control policies remain enforced when a platform update requires a reboot
• Improved performance of device control for printing scenarios
• Fixed truncation issue in the output of MpCmdRun.exe -scan (processing Unicode characters)

Known issues

• None

September-2023 (Platform: 4.18.23090.2008 | Engine: 1.1.23090.2007)

• Security intelligence update version: 1.399.44.0
• Release date: October 3, 2023 (Engine) | October 4, 2023 (Platform)
• Platform: 4.18.23090.2008
• Engine: 1.1.23090.2007
• Support phase: Technical upgrade support (only)

What's new

• Fixed automatic remediation during on demand scans involving archives with multiple threats
• Improved the performance of scanning files on network locations
• Added support for domain computer SID for device control policies
• Improved installer of unified agent to include legacy version of Windows Server 2012 (6.3.9600.17735)
• Fixed issue in device control when querying Microsoft Entra group membership, which resulted in increased network traffic.
• Improved parsing of attack surface reduction exclusions in the antimalware engine
• Improved reliability in scanning PE files
• Improved deployments safeguards for security intelligence updates

Known issues

• None

August-2023 (Platform: 4.18.23080.2006 | Engine: 1.1.23080.2005)

• Security intelligence update version: 1.397.59.0
• Released: August 30, 2023 (Platform and Engine)
• Platform: 4.18.23080.2006
• Engine: 1.1.23080.2005
• Support phase: Technical upgrade support (only)

What's new

• Fixed an issue where Microsoft Defender Antivirus switched from passive mode to active mode following an update on Windows Server 2016 and Windows Server 2012 R2 onboarded using the modern, unified client
• Fixed an issue where exclusions weren't applied correctly using gpupdate when registry policy processing was set to process even if Group Policy Objects didn't change
• Excluded IP addresses can now be configured using Intune
• Improved tamper protection on Windows Server 2016
• DisableFtpParsing can now be configured through Set-MpPreference
• Fixed an issue where device control policies weren't applied correctly without a reboot following product updates
• Fixed an issue in the attack surface reduction rule, Block Win32 API calls from Office macros, configured in warn mode where excluded files were incorrectly blocked until the next device reboot

Known issues

• None

July-2023 (Platform: 4.18.23070.1004 | Engine: 1.1.23070.1005)

• Security intelligence update version: 1.395.30.0
• Released: August 9, 2023 (Engine and Platform)
• Platform: 4.18.23070.1004
• Engine: 1.1.23070.1005
• Support phase: Technical upgrade support (only)

What's new

• Improved output for Get-MpComputerStatus if scan results fail to retrieve
• Extended management options for configuring security intelligence updates with Intune, Group Policy, and PowerShell
• Extended management options for disabling IOAV scans over the network using Intune, Group Policy, and PowerShell. The new setting is ApplyDisableNetworkScanningToIOAV for Set-MpPreference.
• Improved the Unified agent installation process to handle MsMpEng.exe debugger extensions, if present
• Fixed an issue pertaining to showing the exclusions list with PowerShell Get-MpPreference on systems managed by Intune
• Fixed warn notifications for two attack surface reduction rules (Block Office applications from injecting code into other processes and Block credential stealing from the Windows local security authority subsystem)
• Fixed an issue with running Update-MpSignature -UpdateSource:MMPC when using a nonelevated PowerShell console (see Update-MpSignature)
• Fixed an issue with ASR rules deployed via Intune to display accurately in the Microsoft Defender portal
• Fixed tamper protection management for customers who have Microsoft 365 E3 or Defender for Endpoint Plan 1
• Improved installation and uninstallation logic on Server SKUs using the modern, unified agent (see Defender for Endpoint onboarding Windows Server)
• Fixed an issue where AntivirusSignatureLastUpdated was incorrect when executing Get-MpComputerStatus
• Addressed a deadlock caused by Microsoft Defender Antivirus in rare cases
• Added ProcessId to ASR Warn exclusion events (see ASR rules configuration summary card)
• Fixed an issue where values specified in ThreatSeverityDefaultAction weren't honored intermittently
• Improved error reporting in the modern, unified agent installer
• Fixed the overriding logic in the ASR rule Block all Office applications from creating child processes configured in warn mode
• Added support for scanning Zstandard (Zstd) containers/archives

Known issues

• None

May-2023 UPDATE (Platform: 4.18.23050.9)

Microsoft has released a platform update (4.18.23050.9) for the May 2023 release.

• Security intelligence update version: 1.393.1315.0
• Released: July 24, 2023 (Platform only)
• Platform: 4.18.23050.9
• Engine: 1.1.23060.1005
• Support phase: Technical upgrade support (only)

What's new

• Fixed a regression where HTTP requests were being handled sequentially, causing high latency for network protection scenarios
• Fixed a bug where DNS requests with empty authority records were being improperly parsed

June-2023 (Engine: 1.1.23060.1005)

• Security intelligence update version: 1.393.71.0
• Released: July 10, 2023 (Engine only)
• Engine: 1.1.23060.1005
• Support phase: Technical upgrade support (only)

What's new

• Fixed an issue with ASR rules deployed via Intune to display accurately in the Microsoft Defender portal
• Fixed a performance issue when building and validating the Microsoft Defender Antivirus cache
• Improved performance by removing redundant exclusion checks

Known Issues

• See May-2023 UPDATE (Platform: 4.18.23050.9 | Engine: 1.1.23060.1005) for platform updates.

May-2023 UPDATE (Platform: 4.18.23050.5 | Engine: 1.1.23050.2)

Microsoft released a platform update (4.18.23050.5) for the May 2023 release, followed by an additional update.

• Security intelligence update version: 1.391.860.0
• Released: June 12, 2023
• Platform: 4.18.23050.5
• Engine: 1.1.23050.2
• Support phase: Technical upgrade support (only)

What's new

• Fixed issue that could lead to resolution of incorrect service endpoint

Known Issues

• Users encounter slow loading webpages in non-Microsoft web browsers with web content filtering enabled

May-2023 (Platform: 4.18.23050.3 | Engine: 1.1.23050.2)

• Security intelligence update version: 1.391.64.0
• Released: May 31, 2023
• Platform: 4.18.23050.3
• Engine: 1.1.23050.2
• Support phase: Technical upgrade support (only)

What's new

• New version format for Platform and Engine (see the April-2023 update)
• Improved processing of SmartLockerMode
• Fixed input parameters for DefinitionUpdateChannel cmdlet in Set-MpPreference
• Improved installation experience for Windows Server 2012 R2 and Windows Server 2016
• Added ability to disable Defender task maintenance tasks programmatically
• Fixed WDFilter 0x50 bug check
• Fixed print enforcement issue for device control
• Fixed scan randomization issue when setting Intune policy
• Fixed sense offboarding on Windows Server 2016 when tamper protection is enabled
• Fixed inconsistent results of caching files with the internal Defender file cache
• Augmented attack surface reduction telemetry with more data related to an ASR detection
• Removed Image File Execution Options (IFEO) debugger value during installation, which can be used to prevent service starts
• Fixed memory leaked in ASR logic
• Improved validation guard-rail for Malicious Software Removal Tool (MSRT) releases

Known Issues

• Potential issue that could lead to resolution of incorrect service endpoint

April-2023 (Platform: 4.18.2304.8 | Engine: 1.1.20300.3)

• Security intelligence update version: 1.387.2997.0
• Release date: May 2, 2023 (Engine) / May 2, 2023 (Platform)
• Platform: 4.18.2304.8
• Engine: 1.1.20300.3
• Support phase: Technical upgrade support (only)

What's new

• Beginning in May 2023, the Platform and Engine version schema have a new format. Here's what the new version format looks like:
  • Platform: 4.18.23050.1
  • Engine: 1.1.23050.63000
• Fixed memory leak in behavior monitoring
• Improved resiliency of signature loading and platform updates
• Quarantine and restore support for WMI
• Fixed attack surface reduction rule output with Get-MpPreference
• Fixed MSERT to only use release engine version
• Improved the enforcement of exclusions
• Added support for enabling real-time protection and signature updates during OOBE
• Fixed localization for Defender events
• Deprecated real-time signature delivery setting
• Updated missing setting (ValidateMapsConnection) in MpCmdRun.exe
• Fixed abandoned threats in the Windows Security app
• Fixed a service-hang issue that caused invalid outputs to display in Get-MpComputerStatus

Known issues

• None

March-2023 (Platform: 4.18.2303.8 | Engine: 1.1.20200.4)

• Security intelligence update version: 1.387.695.0
• Release date: April 4, 2023 (Engine) / April 11, 2023 (Platform)
• Platform: 4.18.2303.8
• Engine: 1.1.20200.4
• Support phase: Technical upgrade support (only)

What's new

• Beginning in April 2023, monthly platform and engine version release information (in this article) now includes two dates: Engine and Platform
• Increased file hash support
• Added support to protect registry keys against parent keys abuse
• Improved tamper protection of registry keys against parent keys abuse
• Improved log handling for DLP and Device Control
• Improved performance on developer drives

Known issues

• None

February-2023 (Platform: 4.18.2302.7 | Engine: 1.1.20100.6)

• Security intelligence update version: 1.385.68.0
• Release date: March 27, 2023
• Platform: 4.18.2302.7
• Engine: 1.1.20100.6
• Support phase: Technical upgrade support (only)

What's new

• Fixed attack surface reduction rule output with Get-MpPreference
• Fixed threat DefaultAction outputs in Get-MpPreference
• Improved Defender performance during file copy operations for .NET applications
• Fixed Microsoft Defender Vulnerability Management app block warn feature
• Added opt-in feature to allow users seeing exclusions
• Fixed ASR warn policy
• Increased maximum size for quarantine archive file to 4 GB
• Improvements to threat remediation logic
• Improved tamper protection hardening for temporary exclusions
• Fixed time zone calculation in Defender PowerShell module
• Fixed merging logic for exclusions in Defender PowerShell module
• Improvements in the contextual exclusions syntax
• Improved scheduled scan robustness
• Improved serviceability for internal database files
• Enhanced certificate indicators determination logic
• Enhanced memory usage

Known Issues

• None

January-2023 (Platform: 4.18.2301.6 | Engine: 1.1.20000.2)

• Security intelligence update version: 1.383.26.0
• Release date: February 14, 2023
• Platform: 4.18.2301.6
• Engine: 1.1.20000.2
• Support phase: Technical upgrade support (only)

What's new

• Improved ASR rule processing logic
• Updated Sense token hardening
• Improved Defender CSP module update channel logic

Known Issues

• None

November-2022 (Platform: 4.18.2211.5 | Engine: 1.1.19900.2)

• Security intelligence update version: 1.381.144.0
• Release date: December 8, 2022
• Platform: 4.18.2211.5
• Engine: 1.1.19900.2
• Support phase: Technical upgrade support (only)

What's new

• Enhanced threat protection capabilities
• Improved tamper protection capabilities
• Enhanced enabling of tamper protection for newly onboarded devices
• Improved reporting for cloud protection
• Improved controlled folder access notifications
• Improved scanning of network shares
• Enhanced processing of host files containing a wild card
• Improved performance for scan events

Known Issues

• None

October-2022 (Platform: 4.18.2210.6 | Engine: 1.1.19800.4)

• Security intelligence update version: 1.379.4.0
• Release date: November 10, 2022
• Platform: 4.18.2210.6
• Engine: 1.1.19800.4
• Support phase: Technical upgrade support (only)

What's new

• Addressed a quality issue that could result in poor responsiveness/usability
• Improved hang detection in antivirus engine
• Improved tamper protection capability
• Changed threat & vulnerability management (TVM)-warn and TVM-block action to block to resolve Intune's report
• Removed Clean Action from Intune policy for ThreadSeverityDefaultAction
• Added randomize scheduled task times configuration to Intune policy
• Added manageability for DisableSMTPParsing network protection
• Added improvement for behavior monitoring
• Normalized date format for event 1151 for Windows Defender
• Fixed a deadlock related to updating \device\cdrom* exclusions upon mounting a cdrom drive under certain conditions
• Improved PID information for threat detection

Known Issues

• None

September-2022 (Platform: 4.18.2209.7 | Engine: 1.1.19700.3)

• Security intelligence update version: 1.377.8.0
• Release date: October 10, 2022
• Platform: 4.18.2209.7
• Engine: 1.1.19700.3
• Support phase: Technical upgrade support (only)

What's new

• Improved processing of Defender fallback order on Server SKU
• Fixed Defender updates during OOBE process
• Fixed Trusted Installer security descriptor vulnerability
• Fixed Microsoft Defender Antivirus exclusions visibility
• Fixed output of fallback order of the PowerShell cmdlet
• Fixed Defender Platform update failure on Server Core 2019 SKUs
• Improved hardening support for Defender disablement configurations on Server SKUs
• Improved Defender configuration logics for tamper protection on servers
• Improved WARN mode for ASR rule
• Improved certificate handling of OSX
• Improved logging for scanning FilesStash location
• Beginning with platform version 4.18.2208.0 and later: If a server has been onboarded to Microsoft Defender for Endpoint, the "Turn off Windows Defender" group policy setting will no longer completely disable Windows Defender Antivirus on Windows Server 2012 R2 and later operating systems. Instead, it is either ignored (if ForceDefenderPassiveMode is configured explicitly) or it places Microsoft Defender Antivirus into passive mode (if ForceDefenderPassiveMode isn't configured). Moreover, tamper protection allows a switch to active mode via changing ForceDefenderPassiveMode to 0, but not to passive mode. These changes apply only to servers onboarded to Microsoft Defender for Endpoint. For more information, please refer to Microsoft Defender Antivirus compatibility with other security products

Known Issues

• Some customers might have received platform updates 4.18.2209.2 from preview. It can cause the service to get stuck at the start state after the update.

August-2022 (Platform: 4.18.2207.7 | Engine: 1.1.19600.3)

• Security intelligence update version: 1.373.1647.0
• Release date: September 6, 2022
• Platform: 4.18.2207.7
• Engine: 1.1.19600.3
• Support phase: Technical upgrade support (only)

What's new

• Starting with platform version 4.18.2207.7, the default behavior of dynamic signature expiration reporting changes to reduce potential 2011 event notification flooding. See: Event ID: 2011 in Review event logs and error codes to troubleshoot issues with Microsoft Defender Antivirus
• Fixed Unified agent installer issues on WS2012R2 Server and Windows Server 2016
• Fixed remediation issue for custom detection
• Fixed Race condition related to behavior monitoring
• Resolved multiple deadlock scenarios in Defender dlls
• Improved frequency of Windows toasts notification for ASR rules

Known Issues

• None

July-2022 (Platform: 4.18.2207.5 | Engine: 1.1.19500.2)

• Security intelligence update version: 1.373.219.0
• Release date: August 15, 2022
• Platform: 4.18.2207.5
• Engine: 1.1.19500.2
• Support phase: Technical upgrade support (only)

What's new

• Performance improvement for hybrid sleep delay when Microsoft Defender Antivirus is active
• Fixed client detection behavior related to custom certificate blocking indicators of compromise
• Performance improvement for AntiMalware Scan Interface (AMSI) caching
• Improved detection and remediation for Microsoft Visual Basic for Applications (VBA) related macros
• Improved processing of AMSI exclusions
• Fixed deadlock detection in Host Intrusion Prevention System (HIPS) rule processing. (For more information about HIPS and Defender for Endpoint, see Migrating from a third-party HIPS to ASR rules.)
• Fixed memory leak where MsMpEng.exe was consuming private bytes. (If high CPU usage is also an issue, see High CPU usage due to Microsoft Defender Antivirus)
• Fixed deadlock with behavior monitoring
• Improved trust validation
• Fixed engine crash issue on legacy operating platforms
• Performance Analyzer v3 updates: Added top path support, scan skip information, and OnDemand scan support. See Performance analyzer for Microsoft Defender Antivirus.
• Defender performance improvements during file copy operations
• Added improvements for troubleshooting mode
• Added fix for Defender WINEVT channels across update/restarts. (For more information about WINEVT, see Windows Event Log.)
• Added fix for Defender WMI management bug during startup/updates
• Added fix for duplicated 2010/2011 in the Windows Event Viewer Operational events
• Added support for Defender for Endpoint stack processes token hardening

Known Issues

• Customers deploying platform update 4.18.2207.5 might experience lagging network performance that could impact applications.

May-2022 (Platform: 4.18.2205.7 | Engine: 1.1.19300.2)

• Security intelligence update version: 1.369.88.0
• Released: June 22, 2022
• Platform: 4.18.2205.7
• Engine: 1.1.19300.2
• Support phase: Technical upgrade support (only)

What's new

• Added fix for ETW channel configuration for updates
• Added support for contextual exclusions allowing more specific exclusion targeting
• Fixed context maximum size
• Added fix for ASR LSASS detection
• Added fix to SHSetKnownFolder for rule exclusion logic
• Added AMSI disk usage limits for The History Store
• Added fix for Defender service refusing to accept signature updates

Known issues

• None

March-2022 UPDATE (Platform: 4.18.2203.5 | Engine: 1.1.19200.5)

Customers who applied the March 2022 Microsoft Defender engine update (1.1.19100.5) might have encountered high resource utilization (CPU and/or memory). Microsoft has released an update (1.1.19200.5) that resolves the bugs introduced in the earlier version. Customers are recommended to update to at least this new engine build of Antivirus Engine (1.1.19200.5). To ensure any performance issues are fully fixed, it's recommended to reboot machines after applying update.

• Security intelligence update version: 1.363.817.0
• Released: April 22, 2022
• Platform: 4.18.2203.5
• Engine: 1.1.19200.5
• Support phase: Technical upgrade support (only)

What's new

• Resolves issues with high resource utilization (CPU and/or memory) related to the earlier March 2022 Microsoft Defender engine update (1.1.19100.5)

Known issues

• None

March-2022 (Platform: 4.18.2203.5 | Engine: 1.1.19100.5)

• Security intelligence update version: 1.361.1449.0
• Released: April 7, 2022
• Platform: 4.18.2203.5
• Engine: 1.1.19100.5
• Support phase: Technical upgrade support (only)

What's new

• Added fix for an attack surface reduction rule that blocked an Outlook add-in
• Added fix for behavior monitoring performance issue related to short live processes
• Added fix for AMSI exclusion
• Improved tamper protection capabilities
• Added a fix for real-time protection getting disabled in some cases when using SharedSignaturesPath config. For more information about the SharedSignaturesPath parameter, see Set-MpPreference.

Known issues

• Potential for high resource utilization (CPU and/or memory). See the Platform 4.18.2203.5 and Engine 1.1.19200.5 update for March 2022.

February-2022 (Platform: 4.18.2202.4 | Engine: 1.1.19000.8)

• Security intelligence update version: 1.361.14.0
• Released: March 14, 2022
• Platform: 4.18.2202.4
• Engine: 1.1.19000.8
• Support phase: Technical upgrade support (only)

What's new

• Improvements to detection and behavior monitoring logic
• Fixed false positive triggering attack surface reduction detections
• Added fix resulting in better fidelity of EDR and Advanced Hunting detection alerts
• Defender no longer supports custom notifications on toast pop ups. Modified GPO/Intune/SCCM and docs to reflect this change.
• Improvements to capture both information and copy of files written to removable storage.
• Improved traffic output when SmartScreen service is unreachable
• Connectivity improvements for customers using proxies with authentication requirements
• Fixed VDI device update bug for network FileShares
• EDR in block mode now supports granular device targeting with new CSPs. See Endpoint detection and response (EDR) in block mode.

Known issues

• None

January-2022 (Platform: 4.18.2201.10 | Engine: 1.1.18900.2)

• Security intelligence update version: 1.357.8.0
• Released: February 9, 2022
• Platform: 4.18.2201.10
• Engine: 1.1.18900.2
• Support phase: Technical upgrade support (only)

What's new

• Behavior monitoring improvements in filtering performance
• Hardening to TrustedInstaller
• Tamper protection improvements
• Replaced ScanScheduleTime with new ScanScheduleOffest cmdlet in Set-MpPreference. This policy configures the number of minutes after midnight to perform a scheduled scan.
• Added the -ServiceHealthReportInterval setting to Set-MpPreference. This policy configures the time interval (in minutes) to perform a scheduled scan.
• Added the AllowSwitchToAsyncInspection setting to Set-MpPreference. This policy enables a performance optimization that allows synchronously inspected network flows to switch to async inspection once they've been checked and validated.
• Performance Analyzer v2 updates: Remote PowerShell and PowerShell 7.x support added. See Performance analyzer for Microsoft Defender Antivirus.
• Fixed potential duplicate packet bug in Microsoft Defender Antivirus network inspection system driver.

Known issues

• None

November-2021 (Platform: 4.18.2111.5 | Engine: 1.1.18800.4)

• Security intelligence update version: 1.355.2.0
• Released: December 9th, 2021
• Platform: 4.18.2111.5
• Engine: 1.1.18800.4
• Support phase: Technical upgrade support (only)

What's new

• Improved CPU usage efficiency of certain intensive scenarios on Exchange servers
• Added new device control status fields under Get-MpComputerStatus in Defender PowerShell module.
• Fixed bug in which SharedSignatureRoot value couldn't be removed when set with PowerShell
• Fixed bug in which tamper protection failed to be enabled, even though Microsoft Defender for Endpoint indicated that tamper protection was turned on
• Added supportability and bug fixes to performance analyzer for Microsoft Defender Antivirus tool. For more information, see Performance analyzer for Microsoft Defender Antivirus.
  • PowerShell ISE support added for New-MpPerformanceRecording
  • Fixed bug errors for Get-MpPerformanceReport -TopFilesPerProcess
  • Fixed performance recording session leak when using New-MpPerformanceRecording in PowerShell 7.x, remote sessions, and PowerShell ISE

Known issues

• None

October-2021 (Platform: 4.18.2110.6 | Engine: 1.1.18700.4)

• Security intelligence update version: 1.353.3.0
• Released: October 28th, 2021
• Platform: 4.18.2110.6
• Engine: 1.1.18700.4
• Support phase: Technical upgrade support (only)

What's new

• Improvements to file transfer protocol (FTP) network traffic coverage
• Fix to reduce Microsoft Defender CPU usage in Exchange Server running on Windows Server 2016
• Fix for scan interruptions
• Fix for alerts on blocked tampering attempts not appearing in Security Center
• Improvements to tamper resilience in Microsoft Defender service

Known issues

• None

September-2021 (Platform: 4.18.2109.6 | Engine: 1.1.18600.4)

• Security intelligence update version: 1.351.7.0
• Released: October 7th, 2021
• Platform: 4.18.2109.6
• Engine: 1.1.18600.4
• Support phase: Technical upgrade support (only)

What's new

• New delay ring for Microsoft Defender Antivirus engine and platform updates. Devices that opt into this ring receives updates with a 48-hour delay. The new delay ring is suggested for critical environments only. See Manage the gradual rollout process for Microsoft Defender updates.
• Improvements to Microsoft Defender update gradual rollout process

Known issues

• None

August-2021 (Platform: 4.18.2108.7 | Engine: 1.1.18500.10)

• Security intelligence update version: 1.349.22.0
• Released: September 2, 2021
• Platform: 4.18.2108.7
• Engine: 1.1.18500.10
• Support phase: Technical upgrade support (only)

What's new

• Improvements to the behavior monitoring engine
• Released new performance analyzer for Microsoft Defender Antivirus
• Microsoft Defender Antivirus hardened against loading malicious DLLs
• Microsoft Defender Antivirus hardened against the TrustedInstaller bypass
• Extending file change notifications to include more data for Human-Operated Ransomware (HumOR)

Known issues

• None

July-2021 (Platform: 4.18.2107.4 | Engine: 1.1.18400.4)

• Security intelligence update version: 1.345.13.0
• Released: August 5, 2021
• Platform: 4.18.2107.4
• Engine: 1.1.18400.4
• Support phase: Technical upgrade support (only)

What's new

• Device control support added for Windows Portable Devices
• Potentially unwanted applications (PUA) protection is turned on by default for consumers (See Block potentially unwanted applications with Microsoft Defender Antivirus.)
• Scheduled scans for Group Policy Object managed systems adhere to user configured scan time
• Improvements to the behavior monitoring engine

Known issues

• None

June-2021 (Platform: 4.18.2106.5 | Engine: 1.1.18300.4)

• Security intelligence update version: 1.343.17.0
• Released: June 28, 2021
• Platform: 4.18.2106.5
• Engine: 1.1.18300.4
• Support phase: Technical upgrade support (only)

What's new

• New controls for managing the gradual rollout process of Microsoft Defender updates. See Manage the gradual rollout process for Microsoft Defender updates.
• Improvement to the behavior monitoring engine
• Improvements to the rollout of antimalware definitions
• Extended Microsoft Edge network event inspections

Known issues

• None

May-2021 (Platform: 4.18.2105.4 | Engine: 1.1.18200.4)

• Security intelligence update version: 1.341.8.0
• Released: June 3, 2021
• Platform: 4.18.2105.4
• Engine: 1.1.18200.4
• Support phase: Technical upgrade support (only)

What's new

• Improvements to behavior monitoring
• Fixed network protection notification filtering feature

Known issues

• None

April-2021 (Platform: 4.18.2104.14 | Engine: 1.1.18100.5)

• Security intelligence update version: 1.337.2.0
• Released: April 26, 2021 (Engine: 1.1.18100.6 released May 5, 2021)
• Platform: 4.18.2104.14
• Engine: 1.1.18100.5
• Support phase: Technical upgrade support (only)

What's new

• More behavior monitoring logic
• Improved kernel mode key logger detection
• Added new controls to manage the gradual rollout process for Microsoft Defender updates

Known issues

• None

March-2021 (Platform: 4.18.2103.7 | Engine: 1.1.18000.5)

• Security intelligence update version: 1.335.36.0
• Released: April 2, 2021
• Platform: 4.18.2103.7
• Engine: 1.1.18000.5
• Support phase: Technical upgrade support (only)

What's new

• Improvement to the Behavior Monitoring engine
• Expanded network brute-force-attack mitigations
• More failed tampering attempt event generation when Tamper Protection is enabled

Known issues

• None

February-2021 (Platform: 4.18.2102.3 | Engine: 1.1.17900.7)

• Security intelligence update version: 1.333.7.0
• Released: March 9, 2021
• Platform: 4.18.2102.3
• Engine: 1.1.17900.7
• Support phase: Technical upgrade support (only)

What's new

• Improved service recovery through tamper protection
• Extend tamper protection scope

Known issues

• None

January-2021 (Platform: 4.18.2101.9 | Engine: 1.1.17800.5)

• Security intelligence update version: 1.327.1854.0
• Released: February 2, 2021
• Platform: 4.18.2101.9
• Engine: 1.1.17800.5
• Support phase: Technical upgrade support (only)

What's new

• Shellcode exploit detection improvements
• Increased visibility for credential stealing attempts
• Improvements in antitampering features in Microsoft Defender Antivirus services
• Improved support for ARM x64 emulation
• Fix: EDR Block notification remains in threat history after real-time protection performed initial detection

Known issues

• None

November-2020 (Platform: 4.18.2011.6 | Engine: 1.1.17700.4)

• Security intelligence update version: 1.327.1854.0
• Released: December 03, 2020
• Platform: 4.18.2011.6
• Engine: 1.1.17700.4
• Support phase: Technical upgrade support (only)

What's new

• Improved SmartScreen status support logging

Known issues

• None

October-2020 (Platform: 4.18.2010.7 | Engine: 1.1.17600.5)

• Security intelligence update version: 1.327.7.0
• Released: October 29, 2020
• Platform: 4.18.2010.7
• Engine: 1.1.17600.5
• Support phase: Technical upgrade support (only)

What's new

• New descriptions for special threat categories
• Improved emulation capabilities
• Improved host address allow/block capabilities
• New option in Defender CSP to Ignore merging of local user exclusions

Known issues

• None

September-2020 (Platform: 4.18.2009.7 | Engine: 1.1.17500.4)

• Security intelligence update version: 1.325.10.0
• Released: October 01, 2020
• Platform: 4.18.2009.7
• Engine: 1.1.17500.4
• Support phase: Technical upgrade support (only)

What's new

• Admin permissions are required to restore files in quarantine
• XML formatted events are now supported
• CSP support for ignoring exclusion merges
• New management interfaces for:
  • UDP Inspection
  • Network Protection on Server 2019
  • IP Address exclusions for Network Protection
• Improved visibility into TPM measurements
• Improved Office VBA module scanning

Known issues

• None

August-2020 (Platform: 4.18.2008.9 | Engine: 1.1.17400.5)

• Security intelligence update version: 1.323.9.0
• Released: August 27, 2020
• Platform: 4.18.2008.9
• Engine: 1.1.17400.5
• Support phase: Technical upgrade support (only)

What's new

• Add more telemetry events
• Improved scan event telemetry
• Improved behavior monitoring for memory scans
• Improved macro streams scanning
• Added AMRunningMode to Get-MpComputerStatus PowerShell cmdlet
• DisableAntiSpyware is ignored. Microsoft Defender Antivirus automatically turns itself off when it detects another antivirus program.

Known issues

• None

July-2020 (Platform: 4.18.2007.8 | Engine: 1.1.17300.4)

• Security intelligence update version: 1.321.30.0
• Released: July 28, 2020
• Platform: 4.18.2007.8
• Engine: 1.1.17300.4
• Support phase: Technical upgrade support (only)

What's new

• Improved telemetry for BITS
• Improved Authenticode code signing certificate validation

Known issues

• None

June-2020 (Platform: 4.18.2006.10 | Engine: 1.1.17200.2)

• Security intelligence update version: 1.319.20.0
• Released: June 22, 2020
• Platform: 4.18.2006.10
• Engine: 1.1.17200.2
• Support phase: Technical upgrade support (only)

What's new

• Possibility to specify the location of the support logs
• Skipping aggressive catchup scan in Passive mode.
• Allow Defender to update on metered connections
• Fixed performance tuning when caching is disabled
• Fixed registry query
• Fixed scantime randomization in ADMX

Known issues

• None

May-2020 (Platform: 4.18.2005.4 | Engine: 1.1.17100.2)

• Security intelligence update version: 1.317.20.0
• Released: May 26, 2020
• Platform: 4.18.2005.4
• Engine: 1.1.17100.2
• Support phase: Technical upgrade support (only)

What's new

• Improved logging for scan events
• Improved user mode crash handling.
• Added event tracing for Tamper protection
• Fixed AMSI Sample submission
• Fixed AMSI Cloud blocking
• Fixed Security update install log

Known issues

• None

April-2020 (Platform: 4.18.2004.6 | Engine: 1.1.17000.2)

• Security intelligence update version: 1.315.12.0
• Released: April 30, 2020
• Platform: 4.18.2004.6
• Engine: 1.1.17000.2
• Support phase: Technical upgrade support (only)

What's new

• WDfilter improvements
• Add more actionable event data to attack surface reduction detection events
• Fixed version information in diagnostic data and WMI
• Fixed incorrect platform version in UI after platform update
• Dynamic URL intel for Fileless threat protection
• UEFI scan capability
• Extend logging for updates

Known issues

• None

March-2020 (Platform: 4.18.2003.8 | Engine: 1.1.16900.2)

• Security intelligence update version: 1.313.8.0
• Released: March 24, 2020
• Platform: 4.18.2003.8
• Engine: 1.1.16900.4
• Support phase: Technical upgrade support (only)

What's new

• CPU Throttling option added to MpCmdRun
• Improve diagnostic capability
• reduce Security intelligence timeout (5 min)
• Extend AMSI engine internal log capability
• Improve notification for process blocking

Known issues

• [Fixed] Microsoft Defender Antivirus is skipping files when running a scan.

February-2020 (Platform: - | Engine: 1.1.16800.2)

• Security intelligence update version: 1.311.4.0
• Released: February 25, 2020
• Platform/Client: -
• Engine: 1.1.16800.2
• Support phase: Technical upgrade support (only)

What's new

• None

Known issues

• None

January-2020 (Platform: 4.18.2001.10 | Engine: 1.1.16700.2)

• Security intelligence update version: 1.309.32.0
• Released: January 30, 2020
• Platform/Client: 4.18.2001.10
• Engine: 1.1.16700.2
• Support phase: Technical upgrade support (only)

What's new

• Fixed BSOD on WS2016 with Exchange
• Support platform updates when TMP is redirected to network path
• Platform and engine versions are added to WDSI
• extend Emergency signature update to passive mode
• Fix 4.18.1911.3 hang

Known issues

• [Fixed] devices utilizing modern standby mode may experience a hang with the Windows Defender filter driver that results in a gap of protection. Affected machines appear to the customer as having not updated to the latest antimalware platform.

Important

This update is:

• needed by RS1 devices running lower version of the platform to support SHA2;
• has a reboot flag for systems that have hanging issues;
• is re-released in April 2020 and will not be superseded by newer updates to keep future availability;
• is categorized as an update due to the reboot requirement; and
• is only be offered with Windows Update.

November-2019 (Platform: 4.18.1911.3 | Engine: 1.1.16600.7)

• Security intelligence update version: 1.307.13.0
• Released: December 7, 2019
• Platform: 4.18.1911.3
• Engine: 1.1.17000.7
• Support phase: No support

What's new

• Fixed MpCmdRun tracing level
• Fixed WDFilter version info
• Improve notifications (PUA)
• add MRT logs to support files

Known issues

• When this update is installed, the device needs the jump package 4.18.2001.10 to be able to update to the latest platform version.

Tip

Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.