Microsoft refreshes Defender update package for Windows installation images, but latest live signatures are newer
4 min. read 
Published on
Microsoft has updated its offline Microsoft Defender package for Windows installation images, which helps admins bake newer antimalware components into WIM and VHD images before deployment. Microsoft’s support page for the installation-image package currently lists Defender package version 1.445.323.0, platform version 4.18.26020.6, engine version 1.1.26020.1, and security intelligence version 1.445.323.0.
That package matters because freshly deployed Windows systems can otherwise start life with older malware protection. Microsoft says servicing OS installation images reduces that protection gap and recommends following a three-month update routine for offline images.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
There is one important distinction here. The offline image package is not the same thing as Microsoft’s latest live security intelligence release. Microsoft’s Defender updates page shows the current live security intelligence update at version 1.447.233.0 with engine version 1.1.26020.3 and platform version 4.18.26020.6, released on April 8, 2026.
What the offline Defender image update actually covers
Microsoft says the offline package supports Windows 11, Windows 10 ESU, Windows 10 Enterprise LTSC 2021, Windows 10 Enterprise LTSC 2019, Windows 10 Enterprise LTSB 2016, Windows Server 2022, Windows Server 2019, and Windows Server 2016. The package is meant for offline servicing of Windows images rather than day-to-day endpoint updating after deployment.
Microsoft also says no ordering is required between applying the latest cumulative update and applying the offline Defender package. That simplifies image maintenance for admins building or refreshing base images for enterprise rollout.
On the support page’s change log, Microsoft says it updated the version numbers to the current versions for the February 2026 release on March 31, 2026. So while some reports frame this as a fresh April 7 image-package release, Microsoft’s own installation-image page currently points to a March 31 documentation refresh for the version information section.
Live Defender updates continue moving faster
Microsoft’s standard Defender security intelligence updates arrive much more often than the offline image package. The company says platform and engine updates follow a monthly cadence, while security intelligence updates are delivered multiple times a day.
That explains why the numbers on Microsoft’s live Defender updates page already sit ahead of the offline image package. As of April 8, 2026, the live update page lists security intelligence version 1.447.233.0, engine version 1.1.26020.3, and platform version 4.18.26020.6.
For admins, the takeaway is simple. The offline package helps create stronger deployment images, but endpoints should still connect to normal update channels after rollout so they can pick up newer definitions quickly. Microsoft says Microsoft Update provides rapid releases and smaller, more frequent downloads for the best protection level.
Key details at a glance
| Item | Offline installation image package | Latest live Defender update |
|---|---|---|
| Security intelligence | 1.445.323.0 | 1.447.233.0 |
| Engine | 1.1.26020.1 | 1.1.26020.3 |
| Platform | 4.18.26020.6 | 4.18.26020.6 |
| Best use case | Servicing WIM and VHD images offline | Protecting active endpoints |
| Source | Microsoft Support image package page | Microsoft Security Intelligence updates page |
How admins can update Defender manually
- Use Windows Update for standard endpoint updates where possible. Microsoft recommends automatic updates for normal deployments.
- To force a manual refresh on a running system, Microsoft says admins can use:
cd %ProgramFiles%\Windows DefenderMpCmdRun.exe -removedefinitions -dynamicsignaturesMpCmdRun.exe -SignatureUpdate
- For offline or restricted environments, download the appropriate manual package for 32-bit, 64-bit, or ARM systems from Microsoft’s Defender updates page.
- For base images, apply the dedicated Defender installation-image package to supported WIM or VHD files before deployment.
Why this matters for enterprise deployments
An unpatched image can leave new machines behind before they even finish enrollment. Microsoft says devices deployed from older images remain inadequately protected until they receive their first antimalware software update, which creates a protection gap during the earliest stage of deployment.
That risk matters more in large rollouts, VDI pools, isolated environments, and staged server deployments where devices may not receive internet-based updates right away. This is an inference based on Microsoft’s guidance for offline images and network file-share update workflows.
The broader point is that Defender image servicing and live security intelligence updates do different jobs. One hardens the starting point, and the other keeps protection current once the machine goes live.
FAQ
Yes. Microsoft’s installation-image package page currently lists an offline Defender package for supported Windows and Windows Server images, with version information refreshed on March 31, 2026.
No. Microsoft’s live Defender update page shows newer security intelligence and engine versions than the offline image package page.
Microsoft recommends a three-month update routine for OS installation images.
Yes. Microsoft documents manual refresh commands using MpCmdRun.exe for running systems.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages