Defender EDR updates moved out of Patch Tuesday. Check the sensor too.
Microsoft is moving Defender for Endpoint EDR sensor updates through Microsoft Update with KB5005292, separate from the monthly Windows security update. For admins, the practical question is whether patched devices also have current sensor components.
Microsoft is changing how Defender for Endpoint EDR updates are delivered. If your reporting stops at Patch Tuesday you will miss it.
According to Microsoft 365 Message Center item MC1381119, Defender for Endpoint endpoint detection and response updates are moving to Microsoft Update instead of being bundled only with the monthly Windows security update. The rollout started with Windows 10 in late May 2026, then expands to Windows 11 and other supported Windows versions, with completion expected by fall 2026.
A device can show current in your OS patch report and still run an outdated EDR sensor. This is a reporting change, a process change, and a shift in what help desk and SOC teams need to check.
What changed
Microsoft delivers Defender for Endpoint EDR updates through Microsoft Update using KB5005292 once prerequisite updates are installed. The update package services the EDR sensor component, MsSense.exe.
Microsoft's Defender Antivirus update documentation already separates several update types: security intelligence updates, engine updates, platform updates such as KB4052623, and Defender for Endpoint EDR sensor updates such as KB5005292. The Message Center notice moves the EDR updates to their own delivery path outside the monthly Windows security update.
Details to note:
- EDR updates are delivered through Microsoft Update with
KB5005292after prerequisites are in place. - Microsoft lists Sense version
10.8798.25857.1000or later as part of the prerequisite set in MC1381119. - A new Defender Update Service is introduced.
- After the first update, a new local directory appears at
%ProgramData%\\Microsoft\\Microsoft Defender\\Defender Update. - These updates usually do not require a restart, though rare failure cases may.
- Manual update package workflows need to include the new Defender update package.
- The rollout starts with Windows 10, then expands to Windows 11 and other supported Windows versions.
Mixed fleets will not move on the same schedule.
What I would check first
Start with update reachability. Microsoft Defender pulls its pieces from different paths: Windows Update, Microsoft Update, WSUS, ConfigMgr, file share, mirror, or other managed delivery. The streamlined connectivity URL list lists the Windows Update endpoints used for security intelligence, anti-malware platform updates, and EDR sensor product updates.
Confirm devices set to use Microsoft Update can reach those services. If your environment blocks direct Microsoft Update and relies on a curated flow, add KB5005292 to that flow.
Next check the sensor itself alongside the OS patch level.
I want a report that shows:
- Windows version and build
- latest installed cumulative update
- Defender platform version
- Defender engine version
- security intelligence version and date
- Defender for Endpoint sensor version, where available
- whether
KB5005292applies or is installed - whether the Defender Update directory exists after rollout
- last inventory check-in
- update source, such as Microsoft Update, WSUS, ConfigMgr, or managed package
- exception owner for devices that cannot use the normal update path
The security intelligence update page publishes current Defender intelligence, engine, and platform versions. That gives a reference point. Your own fleet inventory is what you actually act on.
Where old assumptions break
Most teams run one patch review per month. They check Windows cumulative update compliance, server reboots, a couple of critical apps, then move on.
Security agents do not follow that schedule. Protection updates can arrive daily. Platform updates arrive monthly. EDR sensor updates now follow their own Microsoft Update path. Some devices pull directly from Microsoft Update. Others depend on WSUS, ConfigMgr, a separate package workflow, or an exception that never got updated.
Gaps appear in those spots.
A laptop can have the latest cumulative update but a stale sensor because Microsoft Update is blocked. A server can sit on an older onboarding package. A lab machine can stay powered off past the rollout window. A manual update process can install the Windows patches and skip the recurring EDR sensor package.
These are ordinary fleet issues. They become problems when the OS patch dashboard is treated as complete proof of a current security stack.
Where FileWave fits
This is inventory, smart groups, and exception tracking.
For Windows OS patching, use the standard FileWave software update process and the FileWave 16+ software update deployment best-practice guide. Keep Alpha, Beta, and Production groups organized and exceptions visible instead of buried in old deployments.
For the Defender side, focus on inventory and reporting. Use Custom Fields, Inventory Reports, and Smart Groups to surface devices by sensor state, update source, last check-in, and exception reason.
A few useful custom fields are:
- Defender platform version
- Defender engine version
- security intelligence version and age
- Defender for Endpoint sensor version
KB5005292detected or not applicable- Defender Update directory present
- Microsoft Update reachable
- update source category
- security sensor exception owner
The exact script or inventory item matters less than keeping the data consistent. A device green for Windows patches but behind on the Defender sensor should show up in your reports before an incident or audit finds it.
What I would tell support and security
Tell the help desk and SOC that Defender for Endpoint EDR updates are no longer tied to the monthly Windows update.
When they troubleshoot suspicious behavior, broken Defender functionality, or stale security posture, collect the Windows build, latest cumulative update, Defender platform and engine versions, security intelligence version, EDR sensor version, and the update source. A device pulling Microsoft Update directly has different failure modes than one fed by a manual package process.
If the sensor update is missing, do not stop at "Windows is patched." Check whether the prerequisites are installed, whether Microsoft Update delivery is allowed, whether KB5005292 is included in the managed update process, and whether the device has checked in recently.
The practical takeaway
Patch Tuesday still matters. It is not the complete endpoint security update picture.
Before the rollout reaches Windows 11 and the rest of the fleet, verify how your environment receives Defender for Endpoint EDR sensor updates. Add the sensor version to your regular reports. Surface stale security components next to OS patch status.
You do not want to find an outdated sensor for the first time during an incident.
Sources
- Microsoft 365 Message Center archive: MC1381119 - Microsoft Defender for Endpoint security updates move to Microsoft Update on Windows
- Microsoft Learn: Microsoft Defender for Endpoint release notes
- Microsoft Learn: Microsoft Defender Antivirus security intelligence and product updates
- Microsoft Support: Microsoft Defender for Endpoint update for EDR Sensor
- Microsoft Learn: Microsoft Defender for Endpoint streamlined connectivity URLs
- Microsoft Security Intelligence: Latest security intelligence updates
- Help Net Security: Microsoft changes how Defender for Endpoint EDR updates are delivered on Windows
- FileWave KB: Best Practice Guide: Software Update Deployment (16.0+)
- FileWave KB: Custom Fields
- FileWave KB: Inventory Reports