You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
- Support phase: **Security and Critical Updates**
108
+
109
+
#### What's new
110
+
111
+
- Windows multisession SKUs are now properly classified as client SKUs for signature versioning
112
+
-`EnableDynamicSignatureDroppedEventReporting` configuration is now available in Intune (see [Event ID 2011](/defender-endpoint/troubleshoot-microsoft-defender-antivirus#event-id-2011))
113
+
- The display name and description is now displayed correctly for the [device control](/defender-endpoint/device-control-overview) filter driver in Windows services
114
+
- Improved performance for kernel driver
115
+
- Improvements to [network protection](/defender-endpoint/network-protection#overview-of-network-protection) performance related to packet loss during high network utilization
116
+
- Reliability improvements to network protection during service shutdown
117
+
- Enriched [Event ID 1000](/defender-endpoint/troubleshoot-microsoft-defender-antivirus#event-id-1000) to include `ScanOnlyIfIdle` and scan priority
118
+
- Improved device control Windows Portal Device (WPD) device discovery in File explorer. (For more information about device control, see [Device control policy samples and scenarios](/defender-endpoint/device-control-overview#device-control-policy-samples-and-scenarios).)
119
+
- Resolved discrepancy in [device health reports](/defender-endpoint/device-health-reports) between signature publish and signature install date and time
120
+
- Performance improvements when scanning files/folders with extended attributes
121
+
- Reliability improvement in the Defender kernel driver to avoid crashing when there's excessive disk input/output
122
+
- Added exponential backoff support to Core Service 1DS manager telemetry module to address memory consumption and DNS flooding issues
- Fixed Microsoft Defender platform update timestamp to reflect the actual update time.
113
136
- The [1002 event](/defender-endpoint/troubleshoot-microsoft-defender-antivirus#event-id-1002) (An anti-malware scan was stopped before it finished) now includes details of the stop reason.
114
137
- Added more details to the [1000 event](/defender-endpoint/troubleshoot-microsoft-defender-antivirus#event-id-1000) (Scan started), like scan trigger and scan on idle.
115
-
- Improved ASR file processing to correctly handle ["allow" Indicators of Compromise](/defender-endpoint/indicators-overview) (IoCs).
138
+
- Improved attack surface reduction file processing to correctly handle ["allow" Indicators of Compromise](/defender-endpoint/indicators-overview) (IoCs).
116
139
- Improvement in health reporting for machines that are rebooted or hibernated.
117
140
- Improved performance for [Smart App Control](/windows/apps/develop/smart-app-control/overview) (SAC) trusted file handling.
118
141
- Improved [device control](/defender-endpoint/device-control-overview) logic for offline printers.
@@ -136,25 +159,6 @@ Updates contain:
136
159
- Improved performance when scanning UPX-packed files (Ultimate Packer for eXecutables) and updated the validation process to verify the integrity of the packed file itself.
137
160
- Added support for distinguishing regular cloud allow signatures from clean [Indicators of Compromise](indicators-overview.md) (IoC) in [attack surface reduction](attack-surface-reduction.md) (ASR).
- Support phase: **Security and Critical Updates**
146
-
147
-
#### What's new
148
-
149
-
- Fixed deadlock issue on [VDI](deployment-vdi-microsoft-defender-antivirus.md) that occurred when loading corrupted update files from UNC share.
150
-
- Systems controlled by `SharedSignatureRoot` can be updated by running signature update commands.
151
-
- If you're currently using a shared signature path to update VDI environments, you can now use signature update commands through [MpCmdRun](/defender-endpoint/command-line-arguments-microsoft-defender-antivirus), PowerShell, and the user interface to update to latest drops in your signature update shares.
152
-
- Shared root signature setting updates are now applied without requiring a system restart. (If this setting is turned off and on multiple times, a system reboot is necessary.)
153
-
- Improved logic for handling [restore from quarantine](/defender-endpoint/restore-quarantined-files-microsoft-defender-antivirus).
154
-
- Fixed fallback issue with [Update-MpSignature](/powershell/module/defender/update-mpsignature).
155
-
- Increased [device control policy](device-control-policies.md) limits.
156
-
- Improved security resilience for Defender update process.
157
-
158
162
### Previous version updates: Technical upgrade support only
159
163
160
164
After a new package version is released, support for the previous two versions is reduced to technical support only. For more information about previous versions, see [Microsoft Defender Antivirus updates: Previous versions for technical upgrade support](msda-updates-previous-versions-technical-upgrade-support.md).
@@ -296,7 +300,7 @@ After a new package version is released, support for the previous two versions i
296
300
|[Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-microsoft-defender-antivirus.md)| You can schedule when protection updates should be downloaded. |
297
301
|[Manage updates for endpoints that are out of date](manage-outdated-endpoints-microsoft-defender-antivirus.md)| If an endpoint misses an update or scheduled scan, you can force an update or scan the next time a user signs in. |
298
302
|[Manage event-based forced updates](manage-event-based-updates-microsoft-defender-antivirus.md)| You can set protection updates to be downloaded at startup or after certain cloud-delivered protection events. |
299
-
|[Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md)| You can specify settings, such as whether updates should occur on battery power that's especially useful for mobile devices and virtual machines. |
303
+
|[Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md)| You can specify settings, such as whether updates should occur on battery power that's especially useful for mobile devices and virtual machines. |
300
304
|[Microsoft Defender for Endpoint update for EDR Sensor](https://support.microsoft.com/topic/microsoft-defender-for-endpoint-update-for-edr-sensor-f8f69773-f17f-420f-91f4-a8e5167284ac)| You can update the EDR sensor (MsSense.exe) that's included in the new Microsoft Defender for Endpoint unified solution package released in 2021. |
- Support phase: **Technical upgrade support (only)**
39
+
40
+
#### What's new
41
+
42
+
- Fixed deadlock issue on [VDI](deployment-vdi-microsoft-defender-antivirus.md) that occurred when loading corrupted update files from UNC share.
43
+
- Systems controlled by `SharedSignatureRoot` can be updated by running signature update commands.
44
+
- If you're currently using a shared signature path to update VDI environments, you can now use signature update commands through [MpCmdRun](/defender-endpoint/command-line-arguments-microsoft-defender-antivirus), PowerShell, and the user interface to update to latest drops in your signature update shares.
45
+
- Shared root signature setting updates are now applied without requiring a system restart. (If this setting is turned off and on multiple times, a system reboot is necessary.)
46
+
- Improved logic for handling [restore from quarantine](/defender-endpoint/restore-quarantined-files-microsoft-defender-antivirus).
47
+
- Fixed fallback issue with [Update-MpSignature](/powershell/module/defender/update-mpsignature).
48
+
- Increased [device control policy](device-control-policies.md) limits.
49
+
- Improved security resilience for Defender update process.
Copy file name to clipboardExpand all lines: defender-endpoint/troubleshoot-microsoft-defender-antivirus.yml
+6-6Lines changed: 6 additions & 6 deletions
Original file line number
Diff line number
Diff line change
@@ -7,7 +7,7 @@ metadata:
7
7
ms.reviewer: yongrhee
8
8
ms.service: defender-endpoint
9
9
ms.topic: troubleshooting
10
-
ms.date: 02/04/2025
10
+
ms.date: 06/10/2025
11
11
ms.localizationpriority: medium
12
12
ms.custom: nextgen
13
13
manager: deniseb
@@ -1136,14 +1136,14 @@ sections:
1136
1136
1137
1137
Change to default behavior: Change to dynamic signature event reporting default behavior.
1138
1138
1139
-
When a dynamic signature is received by MDE, a 2010 event is reported. However, when the dynamic signature expires or is manually deleted a 2011 event is reported. In some cases, when a new signature is delivered to MDE sometimes hundreds of dynamic signatures expire at the same time; therefore hundreds of 2011 events are reported. The generation of so many 2011 events can cause a Security information and event management (SIEM) server to become flooded.
1139
+
When a dynamic signature is received by Defender for Endpoint, a 2010 event is reported. However, when the dynamic signature expires or is manually deleted, a 2011 event is reported. In some cases, when a new signature is delivered to Defender for Endpoint, sometimes hundreds of dynamic signatures expire at the same time, resulting in hundreds of 2011 events reported. The generation of so many 2011 events can cause a Security Information and Event Management (SIEM) server to become flooded.
1140
1140
1141
-
To avoid the previously described situation - starting with platform version 4.18.2207.7 - by default, Defender for Endpoint doesn't report 2011 events:
1141
+
To avoid this situtation, beginning with [platform version 4.18.2207.7](/defender-endpoint/msda-updates-previous-versions-technical-upgrade-support#august-2022-platform-41822077--engine-11196003), by default, Defender for Endpoint doesn't report 2011 events. Keep the following points in mind:
1142
1142
1143
-
- This new default behavior is controlled by registry entry: `HKLM\SOFTWARE\Microsoft\Windows Defender\Reporting\EnableDynamicSignatureDroppedEventReporting`.
1144
-
- The default value for `EnableDynamicSignatureDroppedEventReporting` is **false**, which means 2011 *events aren't reported*. If it's set to true, 2011 *events are reported*.
1143
+
- This new default behavior is controlled by the following registry entry: `HKLM\SOFTWARE\Microsoft\Windows Defender\Reporting\EnableDynamicSignatureDroppedEventReporting`
1144
+
- The default value for `EnableDynamicSignatureDroppedEventReporting` is `false`, which means 2011 events aren't reported. If it's set to `true`, 2011 events are reported.
1145
1145
1146
-
Because 2010 signature events are timely distributed sporadically - and won't cause a spike - 2010 signature event behavior is unchanged.
1146
+
Because 2010 signature events are timely distributed sporadically, this configuration doesn't cause a spike, and the 2010 signature event behavior is unchanged.
1147
1147
1148
1148
Description: Microsoft Defender Antivirus used Dynamic Signature Service to discard obsolete signatures.
0 commit comments