Improve Windows Defender baseline (engines, platform and security intelligence update) in OEM disk images using monthly updates and guideline to optimize during factory mode

Applies to: Windows 8Windows 8 EnterpriseWindows 8 Pro


This article describes monthly updates to the Windows 8 Component-Based Servicing (CBS) components. The updates improve the Windows Defender baseline engines and signatures in the Windows 8 and Windows 8.1 disk images that are created by OEMs.

For the best protection, Windows Defender engines and signatures should be kept up-to-date. A baseline set of engines and signatures is included in the original Windows image, but this baseline will be outdated by the time that it reaches customers.

These updates are offered to OEMs to help keep baseline engines and signatures closer to the current versions. This provides OEMs the ability to optimize the out-of-the-box protection and the download experience.

With Windows 2019 spring release (currently in insider build), a new feature named Tamper Protection is added to the Windows Security app. This feature is enabled to help protect users' devices. The feature can be toggled from Windows Security app:

Screenshot of Windows Security App

If this feature is enabled, disabling Windows defender by using the DisableAntiSpyware group policy key will be prevented. You can continue to register other antivirus solution in Windows Security Center. If you are disabling Windows Defender antivirus because of performance reasons during factory mode customization, you can use volume exclusion instead of turning defender off. See the following MpPreference cmdlets for examples:

  • powershell add-mppreference -exclusionpath c:\
  • powershell remove-mppreference -exclusionpath c:\

See the following websites for more information:

More Information

Update information

How to obtain this update

These monthly updates are available on the OEM DVDs.


You must apply the updates to a Windows 8 OEM disk image or a Windows 8.1 OEM disk image.

Note This update must be applied on a Windows image offline before Windows Defender is started. This update is intended to provide users the newer engines and signatures before first run of Windows Defender. If Windows Defender is already running, it may have already started automatically updating engines and signatures through Windows Update and this update is no longer necessary.

How to apply the update to a Windows image

Use Deployment Image Servicing and Management (DISM) to add packages to a Windows image. To do this, run DISM at a command prompt by using the /Add-Package option and pointing to the latest Windows Defender baseline engines and signatures .msu package that you want to add to the Windows image, as follows:
dism /image:  <Path To Windows Image>  /Add-Package /packagepath:  <Path To The .msu Update File> 

Registry information

To apply the updates, you do not have to make any changes to the registry.

File information

The global version of this update installs files that have the attributes that are listed in the following tables. The dates and the times for these files are listed in Coordinated Universal Time (UTC). The dates and the times for these files on your local computer are displayed in your local time together with your current daylight saving time (DST) bias. Additionally, the dates and the times may change when you perform certain operations on the files.

The MANIFEST files (.manifest) and the MUM files (.mum) that are installed for each environment are listed separately in the "Additional file information for Windows RT, Windows 8" section. MUM and MANIFEST files, and the associated security catalog (.cat) files, are extremely important to maintain the state of the updated components. The security catalog files, for which the attributes are not listed, are signed with a Microsoft digital signature.
Monthly update in April 2015
Windows RT, Windows 8 file information
Windows RT 8.1, Windows 8.1 file information


For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:
824684 Description of the standard terminology that is used to describe Microsoft software updates

Additional file information

Monthly update in April 2015