Introduction
Microsoft is changing how Endpoint Detection and Response (EDR) feature updates are delivered to Windows devices. Starting in late May 2026, security updates associated with Microsoft Defender for Endpoint will be delivered via the Microsoft Update channel, separate from monthly cumulative Windows updates.
This change initially affects Windows 10, with expansion to Windows 11 and other compatible operating systems planned by fall 2026.

Good to know
This change aims to accelerate EDR update deployment and reduce the size of cumulative Windows updates.
Technical analysis
In the previous model, updates to the Defender for Endpoint EDR sensor component (file MsSense.exe) were part of monthly cumulative Windows updates. Going forward, these updates will be independently downloaded via Microsoft Update, following a similar cadence to platform updates and Defender Antivirus signature updates.
Benefits of the new model
- Accelerated deployment: Critical EDR fixes can be distributed more quickly.
- Reduced load: Cumulative Windows updates become less voluminous.
- Flexibility: Administrators will have better control over update provisioning policies.
For devices to receive these new standalone updates, it is essential to configure their settings to accept updates for Microsoft products.
Verifying your update ring configuration
To ensure compatibility with these changes, it is important to verify that your policies allow updates via Microsoft Update. This includes both environments configured via Microsoft Intune and those using on-premises tools such as WSUS.
Verification in Intune Admin Center
In the Intune interface, examine your update rings for Windows 10 and later. Ensure that the setting Update for other Microsoft products is set to Allowed.
Audit via Microsoft Graph API
Use the following PowerShell script to identify active policies and determine if the Microsoft Update service is enabled:
1Connect-MgGraph -Scopes "DeviceManagementConfiguration.Read.All" 2 3$Uri = "/beta/deviceManagement/deviceConfigurations?`$filter=isof('microsoft.graph.windowsUpdateForBusinessConfiguration')"4 5$Response = Invoke-MgGraphRequest -Method GET -Uri $Uri6 7if ($Response.value) {8 $Response.value | ForEach-Object {9 [PSCustomObject]@{10 PolicyName = $_.displayName11 Id = $_.id12 MicrosoftUpdate = if ($_.microsoftUpdateServiceAllowed) { "Allowed" } else { "Blocked" }13 }14 } | Format-Table -AutoSize15} else {16 Write-Host "No Windows update ring policies found." -ForegroundColor Yellow17}
Warning
If the MicrosoftUpdate column shows "Blocked" for any of your configurations, you will need to enable this setting before the full deployment.
Important steps for administrators
To avoid delays in EDR security updates on your endpoints, here are the actions to take:
- Review Intune policies: Run the provided PowerShell script to verify update permissions via Microsoft Update.
- Update WSUS synchronization rules: If you use a local WSUS server, ensure you include Defender product classifications.
- Monitor test environments: Verify MsSense.exe engine versions on test devices during June to confirm that standalone updates are working.
Tip
Configure monitoring notifications for your strategic devices to quickly detect any issues related to EDR updates.
Conclusion
The transition of Microsoft Defender for Endpoint EDR to the Microsoft Update channel enables faster deployments and better patch management efficiency. Ensure that your update configurations are ready before the planned global rollout.
For more information, explore control options via Intune or Microsoft Graph API for proactive management of your update rings.



