MC1381119: Microsoft Defender for Endpoint security updates move to Microsoft Update on Windows
Microsoft Defender for Endpoint EDR updates will move from monthly Windows security updates to Microsoft Update starting late May 2026 for Windows 10, expanding to Windows 11 and others by fall 2026. Updates won't usually require restarts. No action needed if using Microsoft Update; manual deploy...
[What and Why:]
Instead of being bundled with the monthly Windows security update, Microsoft Defender endpoint detection and response (EDR) updates will now be delivered through Microsoft Update, consistent with how other Microsoft Defender components are serviced.
This change allows EDR security improvements to be delivered independently of monthly operating system updates.
[Rollout Schedule:]
- Rollout began with Windows 10 in late May 2026.
- Rollout will expand to Windows 11, followed by remaining supported Windows versions.
- We expect the rollout for Windows 10 and 11 to be completed by fall 2026.
[Impact on Your Organization:]
Who is affected: Organizations using Microsoft Defender for Endpoint on supported Windows devices.
Platforms / Services:
- All Windows OSes currently supported by Microsoft Defender for Endpoint
What will happen:
- EDR updates will no longer be bundled with the monthly Windows security update.
- EDR updates will be delivered through Microsoft Update via KB 5005292 once required prerequisite updates are installed.
- A new Defender Update Service will be introduced.
- When the first update is installed, a new directory will be created on the device:
%ProgramData%\Microsoft\Microsoft Defender\Defender Update - EDR updates typically do not require a device restart. In rare failure scenarios, a restart may be required.
Prerequisite updates:
Devices must be running Sense version 10.8798.25857.1000 or later and have one of the following updates (or later) installed:
- Win11 24H2 KB 5062660 (2025-07 Cumulative Update Preview)
- Win11 23H2 KB 5062663 (2025-07 Cumulative Update Preview)
- Win11 22H2 KB 5062663 (2025-07 Cumulative Update Preview)
- Win10 22H2 KB 5062649 (2025-07 Cumulative Update Preview)
- Win10 1809 KB 5063877 (2025-08 Cumulative Update)
- Server 2019 KB 5063877 (2025-08 Cumulative Update)
- Server 2022 KB 5063880 (2025-08 Cumulative Update)
- Server 2025 KB 5063878 (2025-08 Cumulative Update)
[Action Required / Recommendations:]
- No action is required for organizations that allow updates through Microsoft Update.
- If your organization uses manual update package deployment, ensure this new Defender update package is included in your standard update process.
- Review internal documentation and operational procedures that reference Defender for Endpoint update behavior.
- Inform helpdesk and security operations teams about the new update delivery method.
Rollback guidance (if needed):
Administrators can roll back EDR updates using the Microsoft Defender command-line utility.
Revert EDR to the inbox version stored in %ProgramFiles%\\Windows Defender Advanced Threat Protection:
MpCmdRun.exe -RevertMde -Product Edr -ToVersion InboxRevert EDR to the N-1 version, if there is available backup in %ProgramData%\\Microsoft\\Windows Defender Advanced Threat Protection\\Platform
MpCmdRun.exe -RevertMde -Product Edr -ToVersion Previous[Compliance considerations:]
| Compliance Area | Explanation |
| Data processing or storage changes | The change introduces a new local update service directory for Defender updates but does not introduce new customer data types. |
| Admin controls | Update delivery is governed by existing Windows Update and Microsoft Update configuration policies. |