Microsoft has recently rolled out its latest Defender patches for Windows 11 ISOs, a move that aligns with the company’s ongoing commitment to security through regular updates. These patches are typically released alongside the broader security updates that occur during Patch Tuesday. In a significant shift, Microsoft has announced a change regarding the delivery of security updates specifically for enterprise devices running Windows.
Changes to EDR Update Delivery
In a recent announcement, Microsoft revealed that updates for Microsoft Defender for Endpoint’s endpoint detection and response (EDR) will no longer be included with the monthly Windows security updates or Patch Tuesdays. Instead, the company is transitioning the delivery of these updates to Microsoft Update, aligning EDR servicing with other components of Microsoft Defender. This follows last year’s decision to move PowerShell updates to Microsoft Update, a platform that facilitates automatic updates for Microsoft products and services.
This strategic shift aims to enable Microsoft to provide EDR enhancements and security improvements independently of the operating system’s regular update cycle. Consequently, organizations can expect faster deployment of protection updates without the need to wait for the next scheduled Patch release.
For those unfamiliar with Microsoft Defender for Endpoint’s EDR capabilities, they are designed to assist organizations in detecting, investigating, and responding to advanced threats across their managed devices. Keeping these components updated is essential for safeguarding against the ever-evolving landscape of cyber threats.
The rollout of this new update delivery method commenced for Windows 10 devices in late May 2026, with plans to gradually extend support to Windows 11 and other supported Windows versions in the months ahead. Microsoft anticipates that the deployment across both Windows 10 and Windows 11 will be completed by fall 2026, or approximately Q3 of this year.
Once the transition is finalized, EDR updates will be delivered via Microsoft Update using KB5005292, contingent upon the installation of necessary prerequisite updates. Additionally, Microsoft is introducing a new Defender Update Service as part of this change. Following the installation of the initial update, devices will automatically create a new directory located at %ProgramData%MicrosoftMicrosoft DefenderDefender Update. It is worth noting that occasional restarts may be required in the event of “rare” failure scenarios.
For the majority of organizations, no action will be necessary as long as Microsoft Update is already integrated into their update management strategy. However, administrators who rely on manually deployed update packages will need to adjust their processes to incorporate the new Defender update package. Microsoft also advises reviewing internal documentation and informing helpdesk and security operations teams about the updated delivery mechanism to minimize confusion during this transition.
As a prerequisite for this update, systems must be running Sense version 10.8798.25857.1000 or later and must have one of the following Windows updates (or later) installed:
- Win11 24H2 KB5062660 (2025-07 Cumulative Update Preview)
- Win11 23H2 KB5062663 (2025-07 Cumulative Update Preview)
- Win11 22H2 KB5062663 (2025-07 Cumulative Update Preview)
- Win10 22H2 KB5062649 (2025-07 Cumulative Update Preview)
- Win10 1809 KB5063877 (2025-08 Cumulative Update)
- Server 2019 KB5063877 (2025-08 Cumulative Update)
- Server 2022 KB5063880 (2025-08 Cumulative Update)
- Server 2025 KB5063878 (2025-08 Cumulative Update)
Organizations are encouraged to ensure that their update policies are aligned with this new servicing approach before the broader rollout reaches all supported Windows platforms later this year. In the event of significant issues, the EDR update can be reverted to the inbox version stored in %ProgramFiles%Windows Defender Advanced Threat Protection (ATP) using the following command:
MpCmdRun.exe -RevertMde -Product Edr -ToVersion Inbox
For those with access to the Microsoft 365 Admin Center portal, further details can be found under message ID MC1381119.
