Summary: Microsoft Defender for Endpoint platform/update corruption causing Defender AV provider failures and browser download scanning failures. Defender platform upgrade partially failed, leaving endpoint registered against an outdated platform version and marking the newer platform as blocked.

User reported downloads failing in browser with:

Virus scan failed

Defender cmdlets were completely broken:

PS C:\> Get-MpComputerStatus
 
Get-MpComputerStatus : Provider load failure
HRESULT 0x80041013
 
PS C:\> Get-MpThreat
 
Get-MpThreat : Provider load failure
HRESULT 0x80041013

Services themselves looked fine:

PS C:\> Get-Service Winmgmt,WinDefend,Sense,wscsvc | ft Name,Status,StartType
 
Name       Status StartType
----       ------ ---------
Sense     Running Automatic
WinDefend Running Automatic
Winmgmt   Running Automatic
wscsvc    Running Automatic

WMI repo also reported healthy:

PS C:\> winmgmt /verifyrepository
 
WMI repository is consistent

Device showing:

• Antivirus = Error
• Real-time protection = Error
• Security intelligence = Error

With SyncML 500 errors.

Good clue Intune couldn't query Defender's state on this workstation properly.

PS C:\> Get-ChildItem "C:\ProgramData\Microsoft\Windows Defender\Platform"
 
    Directory: C:\ProgramData\Microsoft\Windows Defender\Platform
 
Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d-----        14/04/2026   7:28 AM                4.18.26030.3011-0
d-----        21/05/2026  11:51 AM                4.18.26040.7-0
d-----        21/05/2026  11:51 AM                4.18.26040.7-1

Compared against a known working/compliant machine and noticed broken machine still referencing old platform version.

Registry confirmed it:

PS C:\> reg query "HKLM\SOFTWARE\Microsoft\Windows Defender" /s /f "4.18.26030.3011-0"
 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender
    InstallLocation    REG_SZ    C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.26030.3011-0\
 
PS C:\> reg query "HKLM\SOFTWARE\Microsoft\Windows Defender" /s /f "4.18.26040.7"
 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender
    BlockedLocation    REG_SZ    C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.26040.7-1

Theory:

• Defender tried upgrading its platform version
• upgrade failed
• new platform got marked as blocked
• Defender stayed partially registered against old platform
• provider functionality broke

Also noticed MpCmdRun still launching old platform:

PS C:\> & "$env:ProgramFiles\Windows Defender\MpCmdRun.exe" -GetFiles
 
Launching "C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.26030.3011-0\MpCmdRun.exe" -GetFiles -Reinvoke...
 
ERROR: ValidateMapsConnection failed (0x800106ba)

Ran:

"%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RevertPlatform

Rebooted the workstation.

After reboot everything fixed itself.

PS C:\> reg query "HKLM\SOFTWARE\Microsoft\Windows Defender" /v InstallLocation
 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender
    InstallLocation    REG_SZ    C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.26040.7-2\

BlockedLocation gone.

Defender healthy again:

PS C:\> Get-MpComputerStatus
 
AMEngineVersion              : 1.1.26040.8
AMProductVersion             : 4.18.26040.7
AMRunningMode                : Normal
AntivirusEnabled             : True
RealTimeProtectionEnabled    : True

MAPS validation successful:

C:\> "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -ValidateMapsConnection
 
ValidateMapsConnection successfully established a connection to MAPS

Downloads immediately started working again for the user.