====== Defender platform corruption causing "Virus scan failed" downloads ======
**Summary:** Microsoft Defender for Endpoint platform/update corruption causing Defender AV provider failures and browser download scanning failures. Defender platform upgrade partially failed, leaving endpoint registered against an outdated platform version and marking the newer platform as blocked.
----
User reported downloads failing in browser with:
Virus scan failed
{{:microsoft365:defender:virus_scan_failed.png?400|}}
----
===== Checked workstation =====
Defender cmdlets were completely broken:
PS C:\> Get-MpComputerStatus
Get-MpComputerStatus : Provider load failure
HRESULT 0x80041013
PS C:\> Get-MpThreat
Get-MpThreat : Provider load failure
HRESULT 0x80041013
Services themselves looked fine:
PS C:\> Get-Service Winmgmt,WinDefend,Sense,wscsvc | ft Name,Status,StartType
Name Status StartType
---- ------ ---------
Sense Running Automatic
WinDefend Running Automatic
Winmgmt Running Automatic
wscsvc Running Automatic
WMI repo also reported healthy:
PS C:\> winmgmt /verifyrepository
WMI repository is consistent
----
===== Checked Intune =====
Device showing:
* Antivirus = Error
* Real-time protection = Error
* Security intelligence = Error
With SyncML 500 errors.
Good clue Intune couldn't query Defender's state on this workstation properly.
----
===== Checked workstation again =====
PS C:\> Get-ChildItem "C:\ProgramData\Microsoft\Windows Defender\Platform"
Directory: C:\ProgramData\Microsoft\Windows Defender\Platform
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 14/04/2026 7:28 AM 4.18.26030.3011-0
d----- 21/05/2026 11:51 AM 4.18.26040.7-0
d----- 21/05/2026 11:51 AM 4.18.26040.7-1
Compared against a known working/compliant machine and noticed broken machine still referencing old platform version.
Registry confirmed it:
PS C:\> reg query "HKLM\SOFTWARE\Microsoft\Windows Defender" /s /f "4.18.26030.3011-0"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender
InstallLocation REG_SZ C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.26030.3011-0\
PS C:\> reg query "HKLM\SOFTWARE\Microsoft\Windows Defender" /s /f "4.18.26040.7"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender
BlockedLocation REG_SZ C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.26040.7-1
Theory:
* Defender tried upgrading its platform version
* upgrade failed
* new platform got marked as blocked
* Defender stayed partially registered against old platform
* provider functionality broke
Also noticed MpCmdRun still launching old platform:
PS C:\> & "$env:ProgramFiles\Windows Defender\MpCmdRun.exe" -GetFiles
Launching "C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.26030.3011-0\MpCmdRun.exe" -GetFiles -Reinvoke...
ERROR: ValidateMapsConnection failed (0x800106ba)
----
===== Fix =====
Ran:
"%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RevertPlatform
Rebooted the workstation.
After reboot everything fixed itself.
PS C:\> reg query "HKLM\SOFTWARE\Microsoft\Windows Defender" /v InstallLocation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender
InstallLocation REG_SZ C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.26040.7-2\
BlockedLocation gone.
Defender healthy again:
PS C:\> Get-MpComputerStatus
AMEngineVersion : 1.1.26040.8
AMProductVersion : 4.18.26040.7
AMRunningMode : Normal
AntivirusEnabled : True
RealTimeProtectionEnabled : True
MAPS validation successful:
C:\> "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -ValidateMapsConnection
ValidateMapsConnection successfully established a connection to MAPS
Downloads immediately started working again for the user.