Latest Security Intelligence Update for Microsoft Defender Antivirus (2026)

Microsoft releases security intelligence updates for Defender Antivirus multiple times per day, making them one of the most frequently shipped software packages in the Windows ecosystem. As of April 24, 2026, the latest version is 1.449.276.0 (Engine 1.1.26030.3008 / Platform 4.18.26030.3011). These updates carry the detection logic, threat signatures, and AI-based analysis rules that Defender uses to identify malware — keeping them current is non-negotiable for any Windows endpoint. This guide explains what security intelligence updates are, how they differ from platform and engine updates, and every method available to install or verify them in 2026.

What Is a Security Intelligence Update and How Defender Applies It

Microsoft Defender Antivirus uses three distinct update tracks — security intelligence, platform, and engine — each released on a different schedule and serving a different purpose. Security intelligence updates are the most frequent and carry the definitions and behavioral detection rules that identify new threats. Understanding the difference between the three helps you troubleshoot protection gaps and configure update policies correctly for enterprise endpoints.

Security Intelligence vs Platform vs Engine Updates

Each update type has its own KB article and release cadence:

Platform and engine updates follow a N-2 support window: after a new version ships, the previous two versions receive only technical upgrade support. Versions older than N-2 are unsupported. This means endpoints that haven’t applied platform updates in more than two monthly cycles may be running unsupported configurations, even if their security intelligence definitions are current.

How Cloud-Delivered Protection (MAPS) Supplements Updates

Alongside local definitions, Defender uses cloud-delivered protection — also called the Microsoft Advanced Protection Service (MAPS). MAPS provides near-real-time analysis for unknown files and behaviors that haven’t yet been packaged into a local security intelligence update. Cloud protection is on by default and requires an active internet connection; it does not replace security intelligence updates but fills the gap between release cycles.

The April 2026 security intelligence update (v1.447.209.0) bundled new AI-powered cloud analysis rules designed to detect emerging zero-day campaigns targeting Windows endpoints. Cloud protection analyzes suspicious files against Microsoft’s global threat telemetry in milliseconds, providing a detection layer that local signatures alone cannot match during the hours between intelligence releases.

Supported Platforms and Architectures

Security intelligence updates apply to a broad range of Microsoft platforms beyond standard Windows desktops:

• Client: Windows 10 (all editions), Windows 11
• Server: Windows Server 2012 R2 and later
• Cloud: Azure Stack HCI OS version 23H2 and later
• Images: WIM and VHD(x) OS installation images (via DISM)
• Architecture: x86, x64, and ARM64

Updates for Windows 7 and 8.1 endpoints running System Center Endpoint Protection use KB2461484. Organizations still running legacy Windows environments should verify that SCEP is receiving definitions separately from modern Defender deployments.

How to Get the Latest Security Intelligence Update in 2026

Defender updates arrive automatically on most managed and consumer endpoints, but there are scenarios — air-gapped networks, delayed WSUS sync, troubleshooting stale definitions — where you need to trigger an update manually. The methods below cover every supported approach from GUI to command-line, ordered from simplest to most advanced.

Automatic Updates via Windows Update (Default)

For the majority of Windows 10 and 11 users, Windows Update automatically downloads and installs security intelligence updates in the background without user intervention. No configuration is required on devices that are connected to the internet and have Windows Update enabled.

To verify that automatic updates are working: open Windows Security → Virus & threat protection → Protection updates. The screen shows the current security intelligence version, the engine version, and the date and time of the last successful update. If the “Last update” timestamp is more than a few hours old on an internet-connected machine, the automatic update mechanism may need attention.

Manual Update via Windows Security App and PowerShell

Three methods work for immediate manual updates on individual Windows endpoints:

1. Windows Security app (GUI): Open Windows Security → Virus & threat protection → Protection updates → Check for updates. Defender downloads and applies the latest intelligence package.
2. PowerShell: Open an elevated PowerShell prompt and run:

   Update-MpSignature

   This is the fastest scripted approach for individual machines or small fleets without enterprise management infrastructure.

3. Direct download: Navigate to microsoft.com/en-us/wdsi/defenderupdates and download the appropriate installer (mpam-feX64.exe for 64-bit systems). Run the executable as administrator to apply the update offline.

Enterprise Deployment: WSUS, MECM, MpCmdRun, and UNC Share

Enterprise environments have multiple policy-controlled distribution methods. Each suits a different infrastructure pattern:

• Windows Server Update Services (WSUS): Synchronize Defender definitions through WSUS and deploy via Group Policy. Recommended for organizations with existing WSUS infrastructure. Note: monthly platform updates appear in WSUS as multiple packages due to phased release.
• Microsoft Configuration Manager (MECM/SCCM): Use the Software Update Point (SUP) component to deploy security intelligence alongside other Windows updates.
• MpCmdRun.exe command-line: Run the following from an elevated Command Prompt on any Windows endpoint:

MpCmdRun.exe -SignatureUpdate

To pull from a UNC file share (useful for air-gapped or segmented networks):

MpCmdRun.exe -SignatureUpdate -UNC \\FileServer\ShareName

To force a pull directly from Microsoft’s update servers:

MpCmdRun.exe -SignatureUpdate -MMPC

• UNC file share: Download the definition package to a local or network share and point endpoints to it via Group Policy — the standard approach for fully air-gapped networks.

Check Your Current Version and Roll Back an Update

To see your active security intelligence version: open Windows Security → Virus & threat protection → Protection updates, or run Get-MpComputerStatus | Select-Object AntivirusSignatureVersion, AntivirusSignatureLastUpdated in PowerShell.

If a security intelligence update introduces detection regressions or causes compatibility issues, three rollback commands are available:

Rollback should be used as a temporary measure while Microsoft investigates a reported false positive — endpoints remain protected by cloud-delivered MAPS during the rollback window, but local definition coverage is reduced. After rolling back, pause automatic updates via Group Policy or Windows Security until a corrected intelligence package is confirmed. Microsoft’s troubleshooting guide for security intelligence not updating covers common failure patterns including WSUS sync issues, proxy blocks, and disk space constraints that prevent update installation.

The least obvious aspect of Defender’s update architecture: security intelligence updates ship multiple times per day, but the version number alone doesn’t tell you whether cloud protection is active — an endpoint with a 12-hour-old intelligence package but active MAPS cloud connection is better protected than one with the latest local definitions but no internet access. Check both AntivirusSignatureVersion and MAPSReporting status together for a complete picture. For enterprise-scale deployment, use WSUS with a DISM-updated base image so new device deployments start with current definitions before their first Windows Update cycle completes.