MEDIC's Wiki

User Tools

Site Tools

Trace: โ€ข defender_platform_corruption
microsoft365:defender:defender_platform_corruption

This is an old revision of the document!

Table of Contents

Defender platform corruption causing "Virus scan failed" downloads

User reported downloads failing in browser with: 

Virus scan failed

Checked workstation

Defender cmdlets were completely broken: 

PS C:\> Get-MpComputerStatus
 
Get-MpComputerStatus : Provider load failure
HRESULT 0x80041013
 
PS C:\> Get-MpThreat
 
Get-MpThreat : Provider load failure
HRESULT 0x80041013

Services themselves looked fine: 

PS C:\> Get-Service Winmgmt,WinDefend,Sense,wscsvc | ft Name,Status,StartType
 
Name       Status StartType
----       ------ ---------
Sense     Running Automatic
WinDefend Running Automatic
Winmgmt   Running Automatic
wscsvc    Running Automatic

WMI repo also reported healthy: 

PS C:\> winmgmt /verifyrepository
 
WMI repository is consistent

Checked Intune

Device showing:

  • Antivirus = Error
  • Real-time protection = Error
  • Security intelligence = Error

With SyncML 500 errors.

Good clue Intune couldn't query Defender's state on this workstation properly.

Checked workstation again

PS C:\> Get-ChildItem "C:\ProgramData\Microsoft\Windows Defender\Platform"
 
    Directory: C:\ProgramData\Microsoft\Windows Defender\Platform
 
Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d-----        14/04/2026   7:28 AM                4.18.26030.3011-0
d-----        21/05/2026  11:51 AM                4.18.26040.7-0
d-----        21/05/2026  11:51 AM                4.18.26040.7-1

Compared against a known working/compliant machine and noticed broken machine still referencing old platform version.

Registry confirmed it: 

PS C:\> reg query "HKLM\SOFTWARE\Microsoft\Windows Defender" /s /f "4.18.26030.3011-0"
 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender
    InstallLocation    REG_SZ    C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.26030.3011-0\
 
PS C:\> reg query "HKLM\SOFTWARE\Microsoft\Windows Defender" /s /f "4.18.26040.7"
 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender
    BlockedLocation    REG_SZ    C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.26040.7-1

Theory:

  • Defender tried upgrading its platform version
  • upgrade failed
  • new platform got marked as blocked
  • Defender stayed partially registered against old platform
  • provider functionality broke

Also noticed MpCmdRun still launching old platform: 

PS C:\> & "$env:ProgramFiles\Windows Defender\MpCmdRun.exe" -GetFiles
 
Launching "C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.26030.3011-0\MpCmdRun.exe" -GetFiles -Reinvoke...
 
ERROR: ValidateMapsConnection failed (0x800106ba)

Fix

Ran: 

"%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RevertPlatform

Rebooted the workstation.

After reboot everything fixed itself. 

PS C:\> reg query "HKLM\SOFTWARE\Microsoft\Windows Defender" /v InstallLocation
 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender
    InstallLocation    REG_SZ    C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.26040.7-2\

BlockedLocation gone.

Defender healthy again: 

PS C:\> Get-MpComputerStatus
 
AMEngineVersion              : 1.1.26040.8
AMProductVersion             : 4.18.26040.7
AMRunningMode                : Normal
AntivirusEnabled             : True
RealTimeProtectionEnabled    : True

MAPS validation successful: 

C:\> "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -ValidateMapsConnection
 
ValidateMapsConnection successfully established a connection to MAPS

Downloads immediately started working again for the user.

microsoft365/defender/defender_platform_corruption.1779510699.txt.gz ยท Last modified: by medic
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki