How to Check Microsoft Defender Antivirus Signature Versions Using 5 Methods

The Windows Security app provides the most user-friendly method to check your current Microsoft Defender signature versions. This built-in tool displays security intelligence versions and last update timestamps without requiring administrative privileges.

Open the Windows Security app by typing Windows Security in the Start menu search bar and clicking the result. Navigate to Virus & threat protection from the main dashboard.

Click on Protection updates under the Virus & threat protection settings section. Here you'll see the current Security Intelligence version (for example, 1.441.355.0) along with the last update timestamp.

PowerShell provides the most comprehensive method for checking Defender signature versions, especially useful for scripting and automation. The Get-MpComputerStatus cmdlet returns detailed information about all signature types.

Open PowerShell as Administrator by right-clicking the Start button and selecting Windows PowerShell (Admin). Run the following command:

Get-MpComputerStatus | Select-Object AntivirusSignatureVersion, AntispywareSignatureVersion, AMProductVersion, AntivirusSignatureLastUpdated, AntispywareSignatureLastUpdated

This command displays the antivirus signature version, antispyware signature version, engine version (AMProductVersion), and the last update timestamps for both signature types. The current versions should show 1.441.355.0 for signatures and 1.1.25100.9002 for the engine.

For a more detailed view including NIS (Network Inspection System) signatures, run:

Get-MpComputerStatus | Format-List *Signature*, *Version*, *Updated*

The MpCmdRun.exe command-line tool provides direct access to Microsoft Defender's signature management functions. This method is particularly useful for troubleshooting and automated scripts.

Open Command Prompt as Administrator and navigate to the current platform directory. The path changes with each platform update, so use this command to find the current version:

cd "%ProgramData%\Microsoft\Windows Defender\Platform"

List the available platform versions:

dir

Navigate to the highest version number directory (should be around 4.18.25100.9008 or newer):

cd 4.18.25100.9008

Check the current signature status:

MpCmdRun.exe -SignatureUpdate

This command attempts to update signatures and displays the current version information in the output. For a status-only check without updating, you can also run:

MpCmdRun.exe -GetFiles

Event Viewer provides historical tracking of signature updates and can help identify patterns or issues with automatic updates. Microsoft Defender logs signature check events every hour with detailed version information.

Open Event Viewer by pressing Win + R, typing eventvwr.msc, and pressing Enter. Navigate to the Microsoft Defender operational log:

Applications and Services Logs → Microsoft → Windows → Windows Defender → Operational

Filter the log for Event ID 1151, which represents signature update checks. Right-click on Operational and select Filter Current Log. In the Event IDs field, enter:

1151

Click OK to apply the filter. Double-click on recent Event ID 1151 entries to view detailed signature version information. The event details will show the complete definition version string and update status.

Look for these key fields in the event details:

• Current Signature Version: Shows the active signature version
• Previous Signature Version: Displays the version before the last update
• Update Source: Indicates whether updates came from Windows Update, WSUS, or manual installation

The Windows Registry stores Microsoft Defender signature version information that can be accessed programmatically or manually. This method is useful for custom monitoring solutions and provides the most direct access to version data.

Open Registry Editor as Administrator by typing regedit in the Start menu, right-clicking the result, and selecting Run as administrator. Navigate to the signature updates registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Signature Updates

Within this key, examine these important values:

• SignatureVersion: Current security intelligence version
• AntivirusSignatureVersion: Specific antivirus signature version
• AntispywareSignatureVersion: Antispyware signature version
• AntivirusSignatureLastUpdated: Timestamp of last antivirus update
• AntispywareSignatureLastUpdated: Timestamp of last antispyware update

For automated monitoring, you can query these registry values using PowerShell:

Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Signature Updates" | Select-Object *SignatureVersion*, *LastUpdated*

This PowerShell command provides the same information as manual registry browsing but in a scriptable format.

For organizations managing multiple Windows devices, the Intune admin center provides centralized monitoring of Microsoft Defender signature versions across your entire fleet. This method requires Microsoft Intune licensing and enrolled devices.

Sign in to the Intune admin center at https://endpoint.microsoft.com using your organizational credentials. Navigate to the endpoint protection reporting section:

Reports → Endpoint analytics → Microsoft Defender for Endpoint

Alternatively, access device-specific information through:

Devices → All devices → Select a device → Endpoint protection

The reports display signature version information for each enrolled device, including:

• Current Security Intelligence version
• Last update timestamp
• Update compliance status
• Devices with outdated signatures

Create custom reports by clicking Create report and selecting Microsoft Defender Antivirus as the report type. Configure filters for:

- Signature version older than X days
- Devices with failed updates
- Compliance status by organizational unit

For automated monitoring, use the Microsoft Graph API to query device compliance data:

Connect-MgGraph -Scopes "DeviceManagementManagedDevices.Read.All"
Get-MgDeviceManagementManagedDevice | Select-Object deviceName, lastSyncDateTime, complianceState

When signature versions are outdated or updates fail, systematic troubleshooting ensures your Microsoft Defender protection remains current. Common issues include network connectivity problems, corrupted signature cache, and SHA-2 signing compatibility.

First, check if your system supports SHA-2 signed updates (required since October 2019). Run this PowerShell command to verify:

Get-HotFix | Where-Object {$_.HotFixID -eq "KB4474419" -or $_.HotFixID -eq "KB4490628"}

If no results appear and you're running Windows 10 version 1703-1809, install the SHA-2 support update through Windows Update.

Clear corrupted signature cache using MpCmdRun:

cd "%ProgramData%\Microsoft\Windows Defender\Platform\4.18.25100.9008"
MpCmdRun.exe -RemoveDefinitions -DynamicSignatures
MpCmdRun.exe -SignatureUpdate

Force an immediate signature update through PowerShell:

Update-MpSignature -UpdateSource MicrosoftUpdateServer

If automatic updates continue failing, manually download the latest signatures from the official Microsoft WDSI page:

• 64-bit systems: Download mpam-feX64.exe
• 32-bit systems: Download mpam-fe.exe

Run the downloaded file as Administrator to install the latest signatures manually.