If the built-in Microsoft Defender Antivirus is not updating automatically, we recommend using the diagnostic and troubleshooting steps outlined in this article to resolve common definition update issues.
Before proceeding, note that Windows 10 and 11 include two built-in mechanisms for updating Microsoft Defender engine files and antivirus signature definitions:
- Microsoft Defender updates are automatically downloaded and installed through Windows Update. Open the update installation history in the Windows Control Panel (
ms-settings:windowsupdate-history). Note the Security Intelligence Update for Microsoft Defender Antivirus — KB2267602 (Version xxxxxx) — Current Channel (Broad) update under “Definition Updates.” It is downloaded and installed regularly via Windows Update or your enterprise WSUS server. The update KB2267602 contains both definitions and engine updates. Even if the Windows Update service is disabled, Microsoft Defender Antivirus will continue to update using its built-in update mechanism described below.
- The Windows Defender engine regularly checks Microsoft servers for new antivirus signature databases and updates them automatically.
If the KB2267602 update fails to download via Windows Update (the download hangs at 0%) or you encounter errors (80072f8f or 0x80072ee2) when installing it, check your internet connectivity and Windows Update policy settings. If needed, reset the Windows Update service configuration on a computer. In fact, however, Windows Update is not the primary method for updating antivirus definitions on a computer.
Run the following PowerShell command to find out when the Defender antivirus databases were last updated and whether automatic updating is enabled:
Get-MpComputerStatus | Select-Object AntivirusSignatureLastUpdated, AntivirusSignatureVersion|fl
The Windows Security UWP app is used to manage the built-in antivirus in Windows 10/11 and Windows Server 2025/2022. You can open it from the Settings app or using the command:
ms-settings:windowsdefender
The Virus and Threat Protection Updates section shows the version of the antivirus database and when it was last updated.
If the built-in Microsoft Defender update mechanism is not working, you will see an error here:
Protection definition update failed (800704C6)
Now, let’s review how to diagnose and resolve common Defender antivirus database update issues.
The frequency with which the update task runs is configured in the Windows Defender settings. Make sure both of these parameters are set.
Get-MpPreference | Select-Object SignatureScheduleDay, SignatureScheduleTime
Ensure that the Microsoft Defender antivirus is not disabled and all dependent services are running.
get-service WdNisSvc, WinDefend, wscsvc | select name,status,starttype
Try updating the antivirus database definitions manually using the command:
"%ProgramFiles%\Windows Defender\MpCmdRun.exe" -SignatureUpdate
If an error occurs during the database update, you can find more information about it in the %userprofile%\AppData\Local\Temp\MpCmdRun.log file.
For example, error code 0x8024401B indicates that the computer is unable to connect to Microsoft Update servers.
Search Started (MU/WU update) (Path:https://fe2cr.update.microsoft.com/v6/ )... Update failed with hr: 0x8024401b
This usually means that the computer is in an isolated environment with no internet access, or with restricted connectivity due to proxy or firewall rules.
Use the Test-NetConnection command to check the connection to the Microsoft Update servers from a computer.
tnc fe2cr.update.microsoft.com -port 443
In my case, I found that the WinHTTP proxy settings had an incorrect address set. Check the current WinHTTP proxy settings.
netsh winhttp show proxy
Reset the system proxy settings (direct access will be used):
netsh winhttp reset proxy
In some cases, Defender may stop receiving updates if the current databases are corrupted. Try resetting the antivirus definition database and performing an online update.
"%ProgramFiles%\Windows Defender\MpCmdRun.exe" -removedefinitions -all
Perform a database update:
Update-MpSignature -Verbose
VERBOSE: Virus and spyware definitions update was completed successfully.
Check if there are any Windows Defender antivirus settings configured via Group Policy. Run the rsop.msc command to get a report with the resulting GPO settings.
Any Defender settings applied to the computer via GPO will be displayed in Computer Configuration -> Administrative Templates -> Windows Components -> Microsoft Defender Antivirus. Analyze which options are enabled and their purpose. By default, nothing should be set. If necessary, edit the local GPO using the gpedit.msc editor or reset the local Group Policy settings.
When diagnosing issues, it is helpful to review antivirus-related event logs in the Event Viewer: Applications and Services Logs -> Microsoft -> Windows -> Windows Defender -> Operational. For example, Event ID 2002 indicates a successful antivirus update.
In some cases, manually installing Microsoft Defender antivirus databases can fix the update problem.
- Follow this link to download the mpam-fe.exe file containing Microsoft Defender Antivirus updates for your operating system: https://www.microsoft.com/en-us/wdsi/defenderupdates
- Reset the Defender settings:
cd %ProgramFiles%\Windows Defender
MpCmdRun.exe -removedefinitions -all - Run the
mpam-fe.exefile as an administrator. - Make sure the antivirus definition database is up to date:
Get-MpComputerStatus | Select-Object AntivirusSignatureLastUpdated, AntivirusSignatureVersion
