Table of Contents
Defender platform corruption causing "Virus scan failed" downloads
Summary: Microsoft Defender for Endpoint platform/update corruption causing Defender AV provider failures and browser download scanning failures. Defender platform upgrade partially failed, leaving endpoint registered against an outdated platform version and marking the newer platform as blocked.
User reported downloads failing in browser with:
Virus scan failed
Checked workstation
Defender cmdlets were completely broken:
PS C:\> Get-MpComputerStatus Get-MpComputerStatus : Provider load failure HRESULT 0x80041013 PS C:\> Get-MpThreat Get-MpThreat : Provider load failure HRESULT 0x80041013
Services themselves looked fine:
PS C:\> Get-Service Winmgmt,WinDefend,Sense,wscsvc | ft Name,Status,StartType Name Status StartType ---- ------ --------- Sense Running Automatic WinDefend Running Automatic Winmgmt Running Automatic wscsvc Running Automatic
WMI repo also reported healthy:
PS C:\> winmgmt /verifyrepository WMI repository is consistent
Checked Intune
Device showing:
- Antivirus = Error
- Real-time protection = Error
- Security intelligence = Error
With SyncML 500 errors.
Good clue Intune couldn't query Defender's state on this workstation properly.
Checked workstation again
PS C:\> Get-ChildItem "C:\ProgramData\Microsoft\Windows Defender\Platform" Directory: C:\ProgramData\Microsoft\Windows Defender\Platform Mode LastWriteTime Length Name ---- ------------- ------ ---- d----- 14/04/2026 7:28 AM 4.18.26030.3011-0 d----- 21/05/2026 11:51 AM 4.18.26040.7-0 d----- 21/05/2026 11:51 AM 4.18.26040.7-1
Compared against a known working/compliant machine and noticed broken machine still referencing old platform version.
Registry confirmed it:
PS C:\> reg query "HKLM\SOFTWARE\Microsoft\Windows Defender" /s /f "4.18.26030.3011-0" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender InstallLocation REG_SZ C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.26030.3011-0\ PS C:\> reg query "HKLM\SOFTWARE\Microsoft\Windows Defender" /s /f "4.18.26040.7" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender BlockedLocation REG_SZ C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.26040.7-1
Theory:
- Defender tried upgrading its platform version
- upgrade failed
- new platform got marked as blocked
- Defender stayed partially registered against old platform
- provider functionality broke
Also noticed MpCmdRun still launching old platform:
PS C:\> & "$env:ProgramFiles\Windows Defender\MpCmdRun.exe" -GetFiles Launching "C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.26030.3011-0\MpCmdRun.exe" -GetFiles -Reinvoke... ERROR: ValidateMapsConnection failed (0x800106ba)
Fix
Ran:
"%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RevertPlatform
Rebooted the workstation.
After reboot everything fixed itself.
PS C:\> reg query "HKLM\SOFTWARE\Microsoft\Windows Defender" /v InstallLocation HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender InstallLocation REG_SZ C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.26040.7-2\
BlockedLocation gone.
Defender healthy again:
PS C:\> Get-MpComputerStatus AMEngineVersion : 1.1.26040.8 AMProductVersion : 4.18.26040.7 AMRunningMode : Normal AntivirusEnabled : True RealTimeProtectionEnabled : True
MAPS validation successful:
C:\> "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -ValidateMapsConnection ValidateMapsConnection successfully established a connection to MAPS
Downloads immediately started working again for the user.