Windows Security signature updates are supposed to happen silently in the background — and usually they do. But when automatic updates break, you’re left with outdated definitions and a red warning badge on the taskbar that won’t go away no matter what you click.
Why Manual Updates Are Sometimes Necessary
Automatic signature updates fail more often than Microsoft’s documentation suggests. From what I’ve seen, the most common scenarios are:
- Windows Update is broken or paused — signature updates route through the same pipeline, so if WU is having issues, definitions stop updating too
- The machine is air-gapped or behind a strict proxy — common in enterprise environments where outbound connections to Microsoft’s CDN are blocked
- The security intelligence service crashed or got stuck — the update process hangs but doesn’t report any visible error
- A Group Policy is controlling update behavior — especially on domain-joined machines where IT has locked things down
- Windows Update database corruption — update history is inconsistent, and new signature pulls silently fail
Whatever the reason, manually pushing a definition update takes about two minutes once you know where the files are.
Method 1: Force Update from Within Windows Security (Quickest)
This is the first thing to try. It’s not exactly “manual” — well, sort of. It’s actually more like telling the automatic system to try again on demand rather than waiting for the scheduled pull. But it bypasses whatever scheduling issue might be causing the delay.
- Open Windows Security — search for it in the Start menu or click the shield icon in the system tray
- Go to Virus & Threat Protection
- Scroll down to Virus & threat protection updates
- Click Check for updates
- Windows will attempt to pull the latest signature package from Microsoft’s servers
If this works, you’re done. If it fails with an error — or if the “last updated” timestamp doesn’t change — move to Method 2.
Method 2: Update via Command Line (More Reliable)
The command-line approach bypasses the GUI and calls the update engine directly. It also gives you actual output to look at instead of a spinner that may or may not be doing anything.
Open Command Prompt as Administrator (right-click Start > Terminal (Admin) or search for cmd, right-click, Run as administrator):
"%ProgramFiles%\Windows Defender\MpCmdRun.exe" -SignatureUpdateYou’ll see output like:
Signature update started . . .
Signature update finished.If it completes successfully, your definitions are now current. If it fails, you’ll get an error code — write it down, it’s useful for diagnosing what’s actually wrong.
And if you want to force an update from a specific source (like Microsoft Update rather than the default CDN):
"%ProgramFiles%\Windows Defender\MpCmdRun.exe" -SignatureUpdate -MMPCThe -MMPC flag points it at the Microsoft Malware Protection Center endpoint specifically.
Method 3: Download and Install the Signature Package Manually
This is the fully manual approach — no network connectivity required at the machine you’re updating. Download the package on any internet-connected device, transfer it, run it.
Microsoft publishes the signature packages directly at:
https://www.microsoft.com/en-us/wdsi/definitions
You’ll find packages for different architectures:
| Package | Use For |
|---|---|
| 64-bit (x64) | Most modern PCs, standard Windows 11/10 |
| 32-bit (x86) | Older 32-bit Windows installations |
| ARM64 | Surface Pro X, ARM-based Windows devices |
Download the right one for your system. If you’re not sure whether you’re on x64, press Win + Pause or go to Settings > System > About and check the System type field.
Once you have the file (it’ll be named something like mpam-fe.exe or mpas-fe.exe):
- Transfer it to the target machine if needed (USB drive works fine)
- Right-click the file and select Run as administrator
- The update installs silently — no progress window, no confirmation dialog
- Open Windows Security and check that the “Last update” timestamp has changed
The whole thing takes under a minute. But you won’t see any visual feedback during the install, which is mildly annoying — just wait 30–60 seconds before checking.
Method 4: PowerShell (For Scripting or Remote Updates)
If you’re managing multiple machines or want something you can automate, PowerShell is the better route:
powershell
Update-MpSignatureThat’s it. Run it in an elevated PowerShell window. You can also specify a source:
powershell
Update-MpSignature -UpdateSource MicrosoftUpdateServerAvailable source options: MicrosoftUpdateServer, MMPC, InternalDefinitionUpdateServer (WSUS), FileShares.
To check current signature version before and after:
powershell
Get-MpComputerStatus | Select-Object AntivirusSignatureLastUpdated, AntivirusSignatureVersionThis is the approach I’d use in any environment where you’re doing this more than once.
How to Verify the Update Took
After any of the above methods, confirm the update actually applied:
In Windows Security UI: Go to Virus & Threat Protection > Virus & threat protection updates — check the “Security intelligence version” and “Last update” fields. The version number should be current (you can cross-check against what Microsoft publishes at the WDSI page).
Via PowerShell:
powershell
Get-MpComputerStatus | Select-Object AntivirusSignatureLastUpdated, AntivirusSignatureVersion, AntivirusSignatureAgeAntivirusSignatureAge tells you how many days old the current definitions are. Anything over 3–4 days is worth investigating. Over 7 days on a connected machine means something is actively preventing updates.
When Manual Updates Keep Failing
If even the direct package install fails, the Windows Defender service itself may be damaged. A few things to check:
Check if the service is actually running:
sc query windefendIf the state isn’t RUNNING, try:
sc start windefendReset the security intelligence via MpCmdRun:
"%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -AllThis wipes the current definitions entirely. Then run the SignatureUpdate command again to pull fresh ones. It sounds drastic but it’s a legitimate reset procedure — Windows will re-download everything from scratch.
Check Event Viewer for Defender errors: Navigate to Event Viewer > Applications and Services Logs > Microsoft > Windows > Windows Defender > Operational. Filter for Error or Warning level. The event IDs will tell you exactly what’s failing — 2001 means update failed, 2003 means update was forced but couldn’t complete, 5007 is a configuration change that might explain why updates stopped.
One Thing People Overlook
Third-party security software. If you have another AV product installed — even a “disabled” one — it can interfere with Windows Defender’s update process in ways that aren’t obvious. Some products mark themselves as inactive but still hold file system hooks that intercept Defender’s signature write operations.
If manual updates are consistently failing and nothing else explains it, check Windows Security > Security providers to see what’s registered. A ghost AV product sitting in that list can quietly break things even when it appears dormant.
FAQ
How often do Windows Security signatures update normally? Multiple times per day on a healthy connected system. Microsoft releases definition updates continuously. If your “last updated” time is more than 24 hours ago on an internet-connected machine, something’s wrong.
Is it safe to run the mpam-fe.exe package from Microsoft’s site? Yes — as long as you’re downloading it directly from microsoft.com/en-us/wdsi/definitions and not a third-party mirror. Verify the URL before downloading.
Can I update signatures if Windows Defender is turned off? No. If Defender is disabled by Group Policy or by a third-party AV taking control, signature updates stop entirely. You’d need to address that first.
The signature update says it succeeded but the date still shows old — why? This happens sometimes when the update process completes but the UI doesn’t refresh. Close and reopen Windows Security. If the date still doesn’t change, run Get-MpComputerStatus in PowerShell to get the raw value — sometimes the UI lags.
Does this work on Windows 10 as well? Yes. The MpCmdRun.exe path and the PowerShell cmdlets are the same. The WDSI page also lists Windows 10-compatible packages. The only difference is minor UI label changes between versions.
I’m on a corporate machine — should I do this? Check with IT first. In managed environments, Defender updates often come through WSUS or a dedicated endpoint management tool. Manually pushing updates might conflict with that or get overwritten on the next policy refresh cycle.
How large are the signature packages? The full package (mpam-fe.exe) is typically 250–400 MB depending on when you download it. There are also delta packages (smaller, incremental updates) but those require an existing recent baseline to apply correctly — for a machine that’s significantly behind, just grab the full package.
Editor’s Opinion
The command-line method is underrated. Most people click around in Windows Security and get frustrated when nothing happens — but MpCmdRun.exe -SignatureUpdate just works and gives you actual output instead of a spinning circle. The manual package download is also worth bookmarking for air-gapped machines or situations where Windows Update is completely broken. Took me longer than it should have to find the WDSI page the first time. Now it’s in my bookmarks.
