Microsoft has changed where Windows Defender is installed

With a recent update, the Redmond software giant has made a small change to the built-in protection app in Windows 10 called Windows Defender. The application was updated to version 4.12.17007.17123, and now the antivirus portion of the app is located in a different folder path in the file system.

Windows Defender Sec Center Opened

The change is applicable to all editions of Windows 10. The files are moved for all versions of Windows 10 starting with Windows 10 "Creators Update", version 1703.


The affected components include the antivirus engine MsMpEng.exe, the network filter service NisSrv.exe, and the appropriate drivers.

The files MsMpEng.exe and NisSrv.exe have been moved from C:\Program Files\Windows Defender to C:\ProgramData\Microsoft\Windows Defender\Platform\. The related driver files can be found under the folder C:\Windows\System32\drivers\wd, which were previously stored in the C:\Windows\System32\drivers folder.

The file location change happens after installing the update KB4052623. It doesn't explain the reason behind the change, but points to the new location of files in the list of known issues:

  • Because of a change in the file path location in the latest update (Antimalware Client Version: 4.12.17007.17123), many downloads are being blocked when AppLocker is enabled.
    To work around this issue, open Group Policy, and then change the setting to "Allow" for the following path:

    %OSDrive%\ProgramData\Microsoft\Windows Defender\Platform\*

  • In rare cases, computers that are running Windows Defender Advanced Threat Protection together with Windows Defender Antivirus are put into a passive mode during the installation of this update. In this passive mode, Real-time Protection is disabled.
    To work around this issue, delete the "PassiveMode" value at the following registry subkey:

    HKLM\SOFTWARE\Microsoft\Windows Defender

    Note You may have to take ownership of the Windows Defender subkey and enable full access to your user account.

To take ownership of Registry keys, you can use a tool like RegOwnerShipEx.

It is not clear why Microsoft moved the system files for Defender. Maybe later the company might explain the changes in a blog post. It might be because malware is targetting the existing directories or it also might be because Defender's security is being improved by perhaps moving it into sandboxed folders with better security. Only Microsoft can shed light on these changes.


Support us

Winaero greatly relies on your support. You can help the site keep bringing you interesting and useful content and software by using these options:

If you like this article, please share it using the buttons below. It won't take a lot from you, but it will help us grow. Thanks for your support!


Author: Sergey Tkachenko

Sergey Tkachenko is a software developer who started Winaero back in 2011. On this blog, Sergey is writing about everything connected to Microsoft, Windows and popular software. Follow him on Telegram, Twitter, and YouTube.

One thought on “Microsoft has changed where Windows Defender is installed”

  1. I always get 0x80070643 when the is a Defender platform update (KB4052623).
    Nothing works. Tried manual update files. Minitool.
    And there is something protecting the “C:\ProgramData\Microsoft\Windows Defender\Platform” folder.
    So I think maybe the update is unable to write the files.
    But this is a Home lisence, so there should be no “AppLocker”.
    Only time the Defender platform update is on huge system updates.
    Or when I do a “in place” upgrade with MediaCreationTool.
    But next update it fails again.
    The definitions update as they should. But I can’t get the platform to update :-(

Leave a Reply

Your email address will not be published.

Using Telegram? Subscribe to the blog channel!
Hello. Add your message here.