Microsoft Moves Defender EDR Updates to Microsoft Update Service

Microsoft is changing how it delivers Microsoft Defender for Endpoint Endpoint Detection and Response (EDR) updates, moving them away from the traditional Patch Tuesday cycle and onto Microsoft Update.

The change, announced through a Microsoft 365 Admin Center message MC1381119, means EDR updates will no longer arrive bundled with monthly Windows security updates.

EDR updates move to Microsoft Update

By separating EDR updates from monthly Windows cumulative updates, Microsoft can deliver fixes, enhancements, and security improvements without waiting for the next Patch Tuesday release.

The rollout began on Windows 10 devices in late May 2026. Microsoft plans to gradually expand support to Windows 11 and other supported Windows platforms over the coming months.

New Defender Update Service introduced

As part of the transition, Microsoft is introducing a new Defender Update Service responsible for delivering EDR package updates.

Once the first update installs, Windows will create a new folder at:

%ProgramData%\Microsoft\Microsoft Defender\Defender Update

After the migration is complete, EDR updates will be delivered through Microsoft Update using KB5005292, provided devices meet all prerequisite requirements.

Most organizations will not need to take action

Organizations that already allow Microsoft Update through their update management infrastructure should not need to make significant changes.

However, administrators who manually deploy update packages must adjust their workflows to include the new Defender package.

Prerequisites apply before devices can receive updates

Devices must run Sense version 10.8798.25857.1000 or newer before receiving the new EDR update package.

Microsoft also requires specific prerequisite Windows updates, including July 2025 preview updates for Windows 10 and Windows 11, as well as August 2025 cumulative updates for several Windows Server releases.

Administrators can revert to the inbox EDR version stored in:

%ProgramFiles%\Windows Defender Advanced Threat Protection

The rollback process can be performed using the following command:

MpCmdRun.exe -RevertMde -Product Edr -ToVersion Inbox

Microsoft continues refining Windows security updates

Recently, the company updated Windows 11 and Windows Server installation media with the latest Defender definitions.

Microsoft also reportedly pulled back on legal action involving the YellowKey exploit. Separately, the company recently fixed a Windows Update issue that installed driver updates automatically.

The latest EDR servicing changes appear designed to give Microsoft more flexibility in responding to emerging threats while reducing the delay between development and deployment of security improvements.

Via Neowin