Microsoft is shaking up the delivery mechanism for Defender for Endpoint’s Endpoint Detection and Response (EDR) component updates. Traditionally bundled within Windows’ monthly cumulative updates, these critical EDR sensor updates will soon decouple and flow through the Microsoft Update channel independently. This move streamlines update deployment, enables faster patching cycles, and reduces monthly update footprint.

For IT administrators, this shift means revisiting update policies, especially those managed through Microsoft Intune or WSUS. Ensuring that endpoints can receive “other Microsoft products” updates will be essential to maintain security posture and keep EDR sensors current. This post explains the update change, offers a clear technical overview, and provides actionable guidance to audit and configure your environment for seamless transition.

We’ll break down the architectural flow of update delivery, review how to inventory and modify Intune update rings using Microsoft Graph PowerShell, and outline best practices to prepare your endpoint fleets for this upcoming change.

Architecture Overview

Note: The original architecture diagram was unrelated to the topic and has been removed to maintain relevance.

Key Technical Observations

• Decoupling EDR Updates from Windows Cumulative Patches — Separating EDR sensor updates from full OS cumulative patches accelerates security patch cadence, improving endpoint protection responsiveness.

• Alignment with Defender Antivirus Update Model — EDR sensor updates are now delivered via the same Microsoft Update channels as Defender Antivirus and signature updates, standardizing endpoint security update mechanisms.

• Intune Update Rings Must Enable Updates for Other Microsoft Products — Endpoint policies must allow updates beyond Windows OS to receive standalone EDR sensor updates. This setting is crucial for Intune-managed endpoints.

• Microsoft Graph API Provides Policy Auditing Capability — Administrators can query all Windows Update for Business configurations across their tenant programmatically to verify the status of Microsoft Update service allowances.

• WSUS On-Premises Synchronization Requirements — For organizations using WSUS, Defender product classifications need to be explicitly enabled to capture EDR sensor updates distributed through Microsoft Update.

• Phased Rollout Timeline — Initially targeting Windows 10 endpoints in late May 2026, with progressive rollout to Windows 11 and other supported OSes by autumn 2026, giving admins a window for validation and mitigation.

Example output of auditing update policies via Microsoft Graph PowerShell (source: Our Cloud Network)

How It Works: Transitioning EDR Updates to Microsoft Update Channel

Legacy Update Model: Monthly Cumulative Updates

Previously, the core EDR sensor executable (MsSense.exe) was updated only as part of the monthly cumulative Windows updates. This bundling meant security improvements or fixes to Defender for Endpoint’s sensor layer were tied to a broader OS patch cycle, potentially delaying critical fixes.

New Update Model: Independent Microsoft Update Delivery

Microsoft now delivers EDR sensor updates as standalone payloads via the Microsoft Update service, the same channel currently used for Defender Antivirus platform and signature updates.

• Step 1: Update Ring Configuration
  Endpoint management tools, such as Microsoft Intune, must allow updates for other Microsoft products besides Windows OS. This setting enables the endpoint's Windows Update client to request and accept sensor updates directly.

• Step 2: Microsoft Update Service Push
  The Microsoft Update backend pushes EDR sensor updates autonomously to endpoints with proper configuration. This reduces the dependency on full OS patch deployments.

• Step 3: Endpoint Update Application
  The MsSense.exe sensor receives incremental updates independently, resulting in shorter update cycles and faster deployment of security fixes.

• Step 4: Monitoring and Validation
  Admins validate deployment success by monitoring sensor engine versions on test devices before broad rollout.

Why This Matters

This decoupling reflects an industry trend towards modular and agile security updates. Faster update cycles reduce attack surface windows and align endpoint security components with threat intelligence evolution.

Using PowerShell with the Microsoft Graph API empowers admins to audit update rings across their entire environment, ensuring no endpoints miss critical EDR updates due to misconfiguration.

Connect-MgGraph -Scopes "DeviceManagementConfiguration.Read.All"

$Uri = "/beta/deviceManagement/deviceConfigurations?`$filter=isof('microsoft.graph.windowsUpdateForBusinessConfiguration')"

$Response = Invoke-MgGraphRequest -Method GET -Uri $Uri

if ($Response.value) {
    $Response.value | ForEach-Object {
        [PSCustomObject]@{
            PolicyName       = $_.displayName
            Id               = $_.id
            MicrosoftUpdate  = if ($_.microsoftUpdateServiceAllowed) { "Allowed" } else { "Blocked" }
        }
    } | Format-Table -AutoSize
} else {
    Write-Host "No Windows update ring policies found." -ForegroundColor Yellow
}

This PowerShell snippet leverages Microsoft Graph to audit Intune Windows update ring configurations, highlighting whether updates for other Microsoft products are allowed.

Quick Tips & Tricks

1. Audit Your Update Rings Early — Run the provided PowerShell script now to identify any Windows Update for Business rings blocking Microsoft Update service updates.

2. Enable ‘Update to Other Microsoft Products’ in Intune — This setting is disabled by default in some configurations; enabling it is essential to receive standalone EDR updates after rollout.

3. Validate WSUS Configuration — If managing updates through WSUS, double-check that Defender classifications are included to synchronize the new EDR sensor updates.

4. Monitor MsSense.exe Version Post-Update — Track the engine version on early test devices to confirm sensor updates are applying independently outside cumulative OS patches.

5. Create Test and Pilot Rings — Before wide rollout, validate changes with accelerated update policies on non-critical devices to catch any issues early.

6. Stay Informed via Message Center Announcements — Follow Microsoft Message Center update MC1381119 for the latest details and timelines.

Conclusion

Microsoft’s decision to move Defender for Endpoint EDR updates from monthly cumulative patches to the Microsoft Update channel marks a significant shift towards faster, more agile endpoint security patching. This change accelerates vulnerability remediation and aligns EDR sensor updates with Defender Antivirus’s proven update mechanism.

For administrators, proactive auditing and configuration of update rings in Intune or WSUS is critical to ensure seamless update delivery. Leveraging Microsoft Graph API for policy auditing and validating deployments on test endpoints will help avoid security gaps during rollout.

As the security landscape becomes increasingly dynamic, modular update delivery models like this are essential to keeping enterprise endpoints resilient against emerging threats. Staying ahead with proper configuration today will maintain your environment’s security posture tomorrow.

---

This blog post is based on the original article by Daniel Bradley on Our Cloud Network: Defender for Endpoint EDR Updates Move to Microsoft Update Channel.