How to update Microsoft Defender Antivirus inside an install image of Windows 10

Microsoft Defender update for Windows 10 install image
Microsoft Defender update for Windows 10 install image (Image credit: Windows Central)

Although after the installation of Windows 10, the built-in version of Microsoft Defender Antivirus will download and apply the most recent updates automatically, the process does not happen immediately, leaving the system temporarily vulnerable to attacks during this period.

Since it could be many hours before the system receives the update, Microsoft created a tool, which allows system administrators (and technical users) to service an image to maintain an updated version of the anti-malware solution, even before deployment with a few commands reducing exposure.

The solution is available for Windows 10 Home, Pro, and Enterprise as well as for Windows Server 2019 and 2016. It includes the most recent updates (until the release of the standalone package) and a PowerShell script that automates the process to update the installation image (install.wim) or Virtual Hard Disk (VHD) files.

In this Windows 10 guide, we will walk you through the steps to update an installation image with the latest security intelligence package available since the tool's release.

How to update Microsoft Defender on Windows 10 image

To update the Microsoft Defender Antivirus for system installation image, use the steps:

  1. Connect a USB installation media of Windows 10 to the computer.Quick tip: You can also update a virtual hard drive (vhd) containing an installation of Windows 10.
  2. Download Microsoft Defender kit for 64-bit version or 32-bit version of Windows 10.
  3. Double-click the open the zip folder with File Explorer.
  4. Click the Extract all button from the Compressed Folder Tools tab.

Source: Windows Central (Image credit: Source: Windows Central)
  1. Click the Browse button.
  2. Select a location to extract the files.
  3. Check the Show extracted files when complete option.

Source: Windows Central (Image credit: Source: Windows Central)
  1. Click the Extract button.
  2. Confirm the path of the extracted content in the address bar of File Explorer.
  3. Open Start.
  4. Search for PowerShell, right-click the top result, and select the Run administrator option.
  5. Type the following command to open the directory with the extracted files and press Enter:cd PATH\TO\DEFENDER-UPDATE-KITIn the command, make sure to specify the path of the folder with the extracted files.For example, this command opens the folder with the extracted files inside the Downloads folder.cd C:\Users\username\Downloads\defender-update-kit-x64
  6. Type the following command to update the Microsoft Defender Antivirus inside a Windows 10 image and press Enter:.\DefenderUpdateWinImage.ps1 -WorkingDirectory "TEMP-LOCATION" -Action AddUpdate -ImagePath "PATH\TO\INSTALL.WIM" -Package "PATH\TO\DEFENDER\CAB\UPDATE"In the command, replace "TEMP-LOCATION" with the path to a folder that the script will use to process the update. Then replace "PATH\TO\INSTALL.WIM" with the path to the image.wim file you want to update. Finally, replace "PATH\TO\DEFENDER\CAB\UPDATE" with the path to the Microsoft Defender update. This is the cab file available with the update package.For example, this command updates the install.wim image in a USB bootable media:.\DefenderUpdateWinImage.ps1 -WorkingDirectory "G:\temp" -Action AddUpdate -ImagePath "E:\sources\install.wim" -Package "C:\Users\username\Downloads\defender-update-kit-x64\Defender-Dism-x64.cab"Quick note: If you were updating a virtual machine, you would would only need to adjust the path for the vhd image. For example, .\DefenderUpdateWinImage.ps1 -WorkingDirectory "G:\temp" -Action AddUpdate -ImagePath "E:\vms\windows10.vhd" -Package "C:\Users\username\Downloads\defender-update-kit-x64\Defender-Dism-x64.cab"

Source: Windows Central (Image credit: Source: Windows Central)
  1. Confirm the update has been applied successfully.

Source: Windows Central (Image credit: Source: Windows Central)

Once you complete the steps, the PowerShell script will update the Windows 10 image with the most recent platform, engine, and signature version of Microsoft Defender Antivirus.

At the time of this writing, the solution updates Microsoft Defender to version 1.1.2102.3, platform version 4.18.2011.6, engine version 1.1.17800.5, and signature version 1.331.174.0.

How to view Microsoft Defender update details on Windows 10 image

To confirm the Microsoft Defender Antivirus update details inside the image, use these steps:

  1. Open Search.
  2. Search for PowerShell, right-click the top result, and select the Run administrator option.
  3. Type the following command to open the directory with the extracted files and press Enter:cd PATH\TO\DEFENDER-UPDATE-KITIn the command, make sure to specify the path of the folder with the extracted files.For example, this command opens the folder with the extracted files inside the Downloads folder.cd C:\Users\username\Downloads\defender-update-kit-x64
  4. Type the following command to view the Microsoft Defender Antivirus information and press Enter:.\DefenderUpdateWinImage.ps1 -WorkingDirectory "TEMP-LOCATION" -Action ShowUpdate -ImagePath "PATH\TO\INSTALL.WIM"In the command, replace "TEMP-LOCATION" with the path to a folder that the script will use for the process, and make sure to change "PATH\TO\INSTALL.WIM" for the location to the Windows 10 image, you want to see the updated information.For example, this command processes and shows update details on a USB installation media with the "E" drive letter:.\DefenderUpdateWinImage.ps1 -WorkingDirectory "G:\temp" -Action ShowUpdate -ImagePath "E:\sources\install.wim"

Source: Windows Central (Image credit: Source: Windows Central)

After you complete the steps, the output should list the update applied to the images, including package, security, engine, and platform version.

How to remove Microsoft Defender update on Windows 10 image

To remove the recently applied antivirus update, use these steps:

  1. Open Search.
  2. Search for PowerShell, right-click the top result, and select the Run administrator option.
  3. Type the following command to open the directory with the extracted files and press Enter:3.cd PATH\TO\DEFENDER-UPDATE-KITIn the command, make sure to specify the path of the folder with the extracted files.For example, this command opens the folder with the extracted files inside the Downloads folder.cd C:\Users\username\Downloads\defender-update-kit-x64
  4. Type the following command to rollback the Microsoft Defender Antivirus to its previous version and press Enter:.\DefenderUpdateWinImage.ps1 -WorkingDirectory "TEMP-LOCATION" -Action RemoveUpdate -ImagePath "PATH\TO\INSTALL.WIM"In the command, replace "TEMP-LOCATION" with the path to a folder that the script will use for the process, and make sure to change "PATH\TO\INSTALL.WIM" for the location of the image.win you recently updated.For example, this command removes the Microsoft Defender Antivirus update on a USB bootable media with the "E" drive letter:.\DefenderUpdateWinImage.ps1 -WorkingDirectory "G:\temp" -Action RemoveUpdate -ImagePath "E:\sources\install.wim"

Source: Windows Central (Image credit: Source: Windows Central)

Once you complete the steps, the script should remove the recently applied antivirus update on the Windows 10 image you specified in the command.

This process should work without issues on most devices running the most recent version of Windows 10. However, if you have problems running the commands, double-check you are typing the command correctly, and make sure you are using PowerShell version 5.1 with the "Microsoft.Powershell.Security" and DISM modules installed.

Alternatively, you can also quickly trigger the antivirus update using PowerShell commands and Command Prompt commands.

Mauro Huculak

Mauro Huculak has been a Windows How-To Expert contributor for WindowsCentral.com for nearly a decade and has over 15 years of experience writing comprehensive guides. He also has an IT background and has achieved different professional certifications from Microsoft, Cisco, VMware, and CompTIA. He has been recognized as a Microsoft MVP for many years.