Fix Microsoft Defender Cannot Update Definitions on Windows 11
🔍 WiseChecker

Fix Microsoft Defender Cannot Update Definitions on Windows 11

by

Quick fix: Open Terminal (Admin) and run "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -SignatureUpdate. This forces a direct definition download from Microsoft, bypassing Windows Update infrastructure. If still failing, also run -RemoveDefinitions -All first to reset.

Microsoft Defender shows “Security intelligence is out of date” or definition updates fail with error codes. Real-time protection is on but threat signatures are weeks or months old. Defender depends on Windows Update infrastructure for signatures by default — if Windows Update is broken, definitions go stale. The MpCmdRun command bypasses Windows Update and fetches directly from Microsoft.

Symptom: Microsoft Defender threat definitions fail to update; Windows Security shows out-of-date signatures.
Affects: Windows 11 (and Windows 10) with Microsoft Defender enabled.
Fix time: ~10 minutes.

ADVERTISEMENT

What causes this

Defender definitions normally update via Windows Update infrastructure (Microsoft Update servers, BITS for downloads). When Windows Update has issues — broken service, corrupted SoftwareDistribution folder, expired certificates — definitions fail. Defender has a fallback: direct download via the MpCmdRun.exe utility, which can fetch signatures from Microsoft’s standalone update server (definitionupdates.microsoft.com) bypassing the Windows Update path.

Method 1: Force definition update via MpCmdRun

The supported direct path.

  1. Open Terminal (Admin).
  2. Force a definition update: 
    & "$env:ProgramFiles\Windows Defender\MpCmdRun.exe" -SignatureUpdate
  3. The command shows download progress. Takes 1-5 minutes depending on bandwidth.
  4. If you see “Signature update completed,” the fix worked. Verify in Windows Security → Virus & threat protection → Virus & threat protection updates — Last update shows current time.
  5. If you see an error, run with verbose output: 
    & "$env:ProgramFiles\Windows Defender\MpCmdRun.exe" -SignatureUpdate -MMPC

    The -MMPC flag forces use of the Microsoft Malware Protection Center server.

This bypasses Windows Update entirely. Use as the first try.

ADVERTISEMENT

Method 2: Reset definitions and re-download fresh

Use when Method 1 says “up to date” but Defender still flags definitions as stale.

  1. Open Terminal (Admin).
  2. Remove existing definitions: 
    & "$env:ProgramFiles\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All

    This removes all signatures, including the inbox copy.

  3. Force a fresh download: 
    & "$env:ProgramFiles\Windows Defender\MpCmdRun.exe" -SignatureUpdate
  4. Defender downloads the full definition set fresh. Takes longer than incremental update (5-15 minutes).
  5. Verify in Windows Security → Virus & threat protection → Virus & threat protection updates → Check for updates. Last update timestamp is recent; Security intelligence Version is current.

The remove-and-redownload sequence handles cases where the local signature cache is corrupted.

Method 3: Fix Windows Update infrastructure so Defender can use the standard path

Long-term fix to restore normal definition update behavior.

  1. Open Terminal (Admin).
  2. Reset Windows Update components: 
    net stop wuauserv
net stop bits
net stop cryptsvc
Rename-Item C:\Windows\SoftwareDistribution C:\Windows\SoftwareDistribution.old -ErrorAction SilentlyContinue
Rename-Item C:\Windows\System32\catroot2 C:\Windows\System32\catroot2.old -ErrorAction SilentlyContinue
net start wuauserv
net start bits
net start cryptsvc
  3. Run DISM and sfc to repair component store: 
    DISM /Online /Cleanup-Image /RestoreHealth
sfc /scannow
  4. Reboot.
  5. Open Windows Security → Virus & threat protection → Virus & threat protection updates → Check for updates. Updates should now flow through Windows Update normally.

This restores the standard definition update path so you don’t need MpCmdRun on every update cycle.

How to verify the fix worked

  • Open Windows Security → Virus & threat protection → Virus & threat protection updates.
  • Last update shows a recent timestamp (within the past day).
  • Security intelligence Version matches the latest published by Microsoft (check microsoft.com/wdsi/definitions).
  • Run (Get-MpComputerStatus).AntivirusSignatureLastUpdated in PowerShell. Returns recent date.

If none of these work

If definitions still fail, three causes apply. Defender service not running: open services.msc. Confirm Windows Defender Antivirus Service (WinDefend) is Running and StartType is Automatic. Third-party AV is installed: when a third-party AV is active, Defender enters reduced mode and may not update signatures. Either uninstall the third-party AV or accept that it handles protection now. Network/firewall block: Defender update endpoints may be blocked. Confirm definitionupdates.microsoft.com resolves: nslookup definitionupdates.microsoft.com from Terminal. If blocked, contact IT or network admin. For chronic definition update issues despite all measures, manual signature install is the last resort — download the latest from microsoft.com/wdsi/definitions and install via mpam-fe.exe (the standalone Defender update installer).

Bottom line: When Windows Update breaks Defender definitions, MpCmdRun -SignatureUpdate fetches them directly from Microsoft. Combine with Windows Update reset for long-term fix.

ADVERTISEMENT

← Back to WiseChecker HomeMore in Windows & PC

🔍 Recommended for You