Microsoft has changed how it distributes Defender for Endpoint EDR component updates. Rather than bundling EDR updates with the monthly Windows OS cumulative update, Microsoft now ships them independently through Microsoft Update. This decoupling started rolling out to Windows 10 in late May 2026 and is expanding to Windows 11 and other Windows versions through the rest of the year, with the rollout expected complete by fall 2026. For most organisations this is seamless — but if you use manual deployment packages or restrict Windows Update in any way, you need to read on.
What Is the EDR Component and Why Does This Matter
Microsoft Defender for Endpoint is made up of several distinct components that can be updated at different cadences. The three you encounter most often are:
| Component | What it covers | Update channel |
|---|---|---|
| Security Intelligence | Malware definitions, threat signatures | Already separate — updated multiple times daily via Microsoft Update, MMPC, or internal UNC/WSUS |
| Antivirus Platform | The Defender AV engine and platform binaries | Delivered via Microsoft Update independently of OS patches |
| EDR Component | Detection, investigation, and response capabilities for Defender for Endpoint | Now moving to Microsoft Update — this is the change |
Previously, the EDR component only updated when a new monthly Windows OS cumulative update was installed. This meant EDR improvements, new detection logic, and EDR bug fixes were tied to your OS patching cadence — which for many organisations is a 30-day cycle with deferred rings. The new model lets Microsoft push EDR updates faster and independently, without waiting for the next Patch Tuesday.
Why Microsoft is making this change
Decoupling EDR from the OS update train gives Microsoft the ability to respond to new attacker techniques faster. An EDR improvement that takes three weeks to build does not have to wait until the next Patch Tuesday to reach your endpoints. This is the same rationale that drove the earlier separation of Security Intelligence and the Antivirus Platform from the OS rollup.
Rollout Timeline
Late May 2026
Windows 10 — live now
EDR updates are already flowing independently via Microsoft Update for Windows 10 devices enrolled in Defender for Endpoint.
Fall 2026
Windows 11 + other versions
Expansion to Windows 11 and remaining Windows versions underway, expected complete by fall 2026.
What You Need to Do — Or Not Do
Your required action depends entirely on how you currently deliver Windows updates to your endpoints.
Microsoft Update / Windows Update for Business / Intune / Windows Autopatch
No action required. The new EDR update package will be delivered automatically alongside your existing update traffic. Nothing changes in your management tooling.
WSUS / manual deployment packages / disconnected environments
Action required. You need to add the new Defender for Endpoint EDR update package to your manual deployment workflow. This package is separate from the monthly OS cumulative update. Failing to do so means your EDR component will fall behind as Microsoft releases new EDR updates independently. Check the Microsoft Update Catalog for the EDR update package.
Air-gapped / offline networks
Action required. Your existing process for staging and deploying Windows update packages will need to include the EDR package. Review your disconnected update procedures and confirm the EDR package is included in your next staging cycle.
How to Check Your EDR Component Version
To verify the current EDR component version on a Windows device, open PowerShell as administrator and run:
Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows Advanced Threat Protection' -Name 'EDRComponentVersion' -ErrorAction SilentlyContinueYou can also view the Defender component versions in the Microsoft Defender portal under Settings > Endpoints > Device inventory — select any device and look at the Sensor health section for the EDR sensor version.
For fleet-wide visibility, the DeviceInfo table in Microsoft Defender advanced hunting includes sensor version data you can query across your estate:
DeviceInfo
| where Timestamp > ago(7d)
| summarize arg_max(Timestamp, *) by DeviceId
| project DeviceName, OSPlatform, OSVersion, SensorHealthState, DeviceObjectId
| order by DeviceName ascAdmin Action Checklist
- Identify whether your devices receive updates via Microsoft Update/WUfB/Intune (no action) or via WSUS/manual packages (action required)
- If using manual packages: locate the Defender for Endpoint EDR update package in the Microsoft Update Catalog and add it to your deployment workflow
- If using air-gapped/disconnected networks: update your staging procedures to include the EDR package
- Verify current EDR component versions across your estate using advanced hunting or device inventory
- Monitor for further announcements as the rollout expands to Windows 11 and other Windows versions through fall 2026
- Check your Defender for Endpoint sensor health reports after the rollout reaches your Windows 10 devices to confirm updates are landing correctly