Stay protected with Windows Security

Windows 10 includes Windows Security, which provides the latest antivirus protection. Your device will be actively protected from the moment you start Windows 10. Windows Security continually scans for malware (malicious software), viruses, and security threats. In addition to this real-time protection, updates are downloaded automatically to help keep your device safe and protect it from threats.

Windows 10 in S mode

Some features will be a little different if you’re running Windows 10 in S mode. Because this mode is streamlined for tighter security, the Virus & threat protection area has fewer options. But don’t worry—the built-in security of this mode automatically prevents viruses and other threats from running on your device, and you’ll receive security updates automatically. For more info, see Windows 10 in S mode FAQ.

Important security info

Windows Security is built-in to Windows 10 and includes an antirvirus program called Microsoft Defender Antivirus. (In previous versions of Windows 10, Windows Security is called Windows Defender Security Center).

If you have another antivirus app installed and turned on, Microsoft Defender Antivirus will turn off automatically. If you uninstall the other app, Microsoft Defender Antivirus will turn back on automatically.

If you’re having problems receiving Windows Security updates, see Fix Windows Update errors and the Windows Update FAQ.

For info on how to uninstall an app, see Repair or remove an app in Windows 10.

To change your user account to an admin account, see Create a local user or administrator account in Windows 10.

Understand and customize Windows Security features

Windows Security is your home to manage the tools that protect your device and your data:

Virus & threat protection. Monitor threats to your device, run scans, and get updates to help detect the latest threats. (Some of these options are unavailable if you’re running Windows 10 in S mode.)

Account protection. Access sign-in options and account settings, including Windows Hello and dynamic lock.

Firewall & network protection. Manage firewall settings and monitor what’s happening with your networks and internet connections.

App & browser control. Update settings for Microsoft Defender SmartScreen to help protect your device against potentially dangerous apps, files, sites, and downloads. You’ll have exploit protection and you can customize protection settings for your devices.

Device security. Review built-in security options to help protect your device from attacks by malicious software.

Device performance & health. View status info about your device’s performance health, and keep your device clean and up to date with the latest version of Windows 10.

Family options. Keep track of your kids’ online activity and the devices in your household.

You can customize how your device is protected with these Windows Security features. To access them, select Start > Settings > Update & Security > Windows Security . Then select the feature you want to explore.
Open Windows Security settings

Status icons indicate your level of safety:

Green means your device is sufficiently protected and there aren’t any recommended actions.

Yellow means there is a safety recommendation for you.

Red is a warning that something needs your immediate attention.

Run a malware scan manually

When you’re concerned about risks to a specific file or folder, you can right-click the file or folder in File Explorer, then select Scan with Microsoft Defender.

If you suspect there’s malware or a virus on your device, you should immediately run a quick scan. This is much faster than running a full scan on all your files and folders.

Run a quick scan in Windows Security

Select Start > Settings > Update & Security > Windows Security and then Virus & threat protection.
Open Windows Security settings

Under Current threats, select Quick scan (or in previous versions of Windows 10, under Threat history, select Scan now).

If the scan doesn’t find any issues, but you’re still concerned, you may want to check your device more thoroughly.

Run an advanced scan in Windows Security

Select Start > Settings > Update & Security > Windows Security and then Virus & threat protection.

Under Current threats, select Scan options (or in previous versions of Windows 10, under Threat history, select Run a new advanced scan).

Select one of the scan options:

Full scan (check files and programs currently running on your device)

Custom scan (scan specific files or folders)

Microsoft Defender Offline scan (run this scan if your device has been, or could potentially be, infected by a virus or malware). Learn more about Microsoft Defender Offline

Select Scan now.

Note: Because of streamlined security, this process isn’t available if you’re running Windows 10 in S mode.

Schedule your own scan

Even though Windows Security is regularly scanning your device to keep it safe, you can also set when and how often the scans occur.

Schedule a scan

Select the Start button, type schedule tasks in the Search box, and in the list of results, select Task Scheduler.

In the left pane, select the arrow (>) next to Task Scheduler Library to expand it, do the same with Microsoft > Windows, and then scroll down and select the Windows Defender folder.

In the top-center pane, select Windows Defender Scheduled Scan. (Point to the choices to see the full names.)

In the Actions pane on the right, scroll down and then select Properties.

In the window that opens, select the Triggers tab, and then select New.

Set your preferred time and frequency, and then select OK.

Review the schedule and select OK.

Note: Because of streamlined security, this process isn’t available if you’re running Windows 10 in S mode.

Turn Microsoft Defender Antivirus real-time protection on or off

Sometimes you may need to briefly stop running real-time protection. While real-time protection is off, files you open or download won’t be scanned for threats. However, real-time protection will soon turn on automatically again to protect your device.

Turn real-time protection off temporarily

Select Start > Settings > Update & Security > Windows Security and then Virus & threat protection > Manage settings. (In previous versions of Windows 10, select Virus & threat protection > Virus & threat protection settings.)
Open Windows Security settings

Switch the Real-time protection setting to Off and choose Yes to verify.

Note: Because of streamlined security, this process isn’t available if you’re running Windows 10 in S mode.

Important: Windows security updates and antivirus software

Overview

Microsoft has identified a compatibility issue with Microsoft’s Windows security updates released in January 2018 and a small number of antivirus software products.

The compatibility issue arises when antivirus applications make unsupported calls into Windows kernel memory. These calls may cause stop errors (also known as blue screen errors) that make the device unable to boot. To help prevent these stop errors, Microsoft is currently only offering the January and February 2018 Windows security updates to devices that are running antivirus software that is from antivirus software vendors who have confirmed that their antivirus software is compatible by setting a required registry key.

April 10, 2018 Status Update

We are lifting the AV compatibility check for Windows security updates for supported Windows 7 SP1 and Windows 8.1 devices via Windows Update. We continue to require that AV software be compatible, and in cases where there are known issues of AV driver compatibility, we will block those devices from updates to avoid any issues. We recommend customers check with their AV provider on compatibility of their installed AV software product.

March 13, 2018 Status Update

Our recent work with our anti-virus (AV) partners on compatibility with Windows updates has now reached a sustained level of broad ecosystem compatibility. Based on our analysis of available data, we are now lifting the AV compatibility check for the March 2018 Windows security updates for supported Windows 10 devices via Windows Update. We continue to require that AV software is compatible and in cases where there are known issues of AV driver compatibility, we will block those devices from updates to avoid any issues. We recommend customers check with their AV provider on compatibility of their installed AV software product.

More information

Windows Defender Antivirus, System Center Endpoint Protection, and Microsoft Security Essentials are compatible with the 2018 Windows security updates and have set the required registry key.

Windows 10, Windows 8.1, Windows Server 2012 R2 and Windows Server 2016 Customers

Microsoft recommends all customers protect their devices by running a compatible and supported antivirus program. Customers can take advantage of built-in antivirus protection, Windows Defender Antivirus, for Windows 8.1 and Windows 10 devices or a compatible third-party antivirus application.

Windows 7 SP1 and Windows Server 2008 R2 SP1 Customers

In a default installation of Windows 7 SP1 or Windows Server 2008 R2 SP1, customers will not have an antivirus application installed by default. In these situations, Microsoft recommends installing a compatible and supported antivirus application such as Microsoft Security Essentials or a third-party anti-virus application.

Customers without Antivirus

In cases where customers can’t install or run antivirus software, Microsoft recommends manually setting the registry key as described below in order to receive the latest Windows security updates.

Setting the Registry Key

Caution Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. For information about how to edit the registry, view the «Changing keys and values» help topic in Registry Editor (Regedit.exe) or view the «Add and delete information in the registry» and «Edit registry data» help topics in Regedt32.exe.

Note: Customers running Windows 8.1 and earlier versions will not receive the January 2018 Windows security updates (or any subsequent Windows security updates) and will not be protected from security vulnerabilities unless and until their antivirus software vendor sets the following registry key:

Key=»HKEY_LOCAL_MACHINE» Subkey=»SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat» Value=»cadca5fe-87d3-4b96-b7fb-a231484277cc» Type=»REG_DWORD”

Frequently asked questions

Q1: Why are some antivirus solutions incompatible with the January — March, 2018, security updates?

A1: During testing, we discovered that some third-party applications have been making unsupported calls into Windows kernel memory that cause stop errors (also known as bluescreen errors) to occur.

Microsoft has assembled the following resources to help potentially impacted customers:

Q2: What is Microsoft doing to help mitigate issues caused by these unsupported applications?

A2: To help protect our customers from «blue screen» errors and unknown scenarios, Microsoft is requiring all antivirus software vendors to attest to the compatibility of their applications by setting a Windows registry key.

Q3: How long will Microsoft require setting a registry key to receive the Windows security updates?

A3: As of April 10, 2018, we are lifting the AV compatibility check for Windows security updates for supported Windows 7 SP1 and Windows 8.1 devices via Windows Update. As of March 13, 2018 Microsoft is lifting the AV compatibility check for the March 2018 Windows security updates for supported Windows 10 devices via Windows Update. We continue to require that AV software is compatible and in cases where there are known issues of AV driver compatibility, we may block those devices from receiving Windows updates to avoid any issues.

Q4: I have a compatible antivirus application but I’m not being offered the Windows security updates. What do I do?

A4: In some cases, it may take time for Windows security updates to be delivered to systems, particularly for devices that have been turned off or not connected to the Internet (offline). After they are turned on again, these systems should receive updates from their antivirus software providers. Customers who still experience problems 24 hours after ensuring that their devices have proper Internet connectivity should contact their antivirus software vendor for additional troubleshooting steps.

Q5: My antivirus software is not compatible. What should I do?

A5: Microsoft has been working closely with antivirus software partners to help all customers receive the 2018 Windows security updates as soon as possible. See the status update sections ealier in this article for more information. If you are not being offered this month’s security update, Microsoft recommends that you contact your antivirus software provider.

Q6: I have a compatible antivirus software application, but I still experienced a bluescreen. What should I do?

A6: Microsoft has assembled the following resources to help potentially affected customers:

Lifecycle FAQ — Extended Security Updates

Originally published: April 2, 2019
Updated: March 5, 2021

Please go here to search for your product’s lifecycle.

What is the Extended Security Update (ESU) program?

The Extended Security Update (ESU) program is a last resort option for customers who need to run certain legacy Microsoft products past the end of support. It includes Critical* and/or Important* security updates for a maximum of three years after the product’s End of Extended Support date.

Extended Security Updates will be distributed if and when available. ESUs do not include new features, customer-requested non-security updates, or design change requests.

All Windows 7 and Windows Server 2008/R2 customers received an update on January 14, 2020 as the operating systems were in support until then. Updates for these operating systems after January 14, 2020 are provided for ESU customers only.

To learn more about year 2 of the ESU program for Windows 7 and Windows Server 2008, go here, and see our Windows 7 ESU FAQs.

What products are included?

ESU Availability and End Dates

ESUs available. Go here to learn more.

ESUs available. Go here to learn more.

Products	End of Extended Support/ESU Start Date	ESU End Date Year 1	ESU End Date Year 2	ESU End Date Year 3	Type of Security Update
SQL Server 2008/R2 (Enterprise, Standard, Datacenter, Web, Workgroup)	July 9, 2019	July 14, 2020	July 13, 2021	July 12, 2022	Critical
SQL Server 2008/R2 for Embedded Systems*	July 9, 2019	July 14, 2020	July 13, 2021	July 12, 2022	Critical
Windows Server 2008/R2 (Datacenter, Standard, Enterprise)	January 14, 2020	January 12, 2021	January 11, 2022	January 10, 2023	Critical, Important
Windows 7 (Professional, Enterprise)	January 14, 2020	January 12, 2021	January 11, 2022	January 10, 2023	Critical, Important
Windows 7 Professional for Embedded Systems*	January 14, 2020	January 12, 2021	January 11, 2022	January 10, 2023	Critical, Important
Windows Server Embedded 2008/R2*	January 14, 2020	January 12, 2021	January 11, 2022	January 10, 2023	Critical, Important
Windows Embedded Standard 7*	October 13, 2020	October 12, 2021	October 11, 2022	October 10, 2023	Critical, Important
Windows Embedded POSReady 7*	October 12, 2021	October 11, 2022	October 10, 2023	October 8, 2024	Critical, Important
Dynamics AX 2009	April 12, 2022	Critical
Dynamics AX 2012/R2	April 12, 2022	Critical

* Extended Security Updates for select Embedded products are available via OEMs. All others are available via volume licensing.

Can I get support after the Extended Support date, without purchasing Extended Security Updates?

For technical support, customers must purchase Extended Security Updates and have an active support plan in place to get technical support on a product that has moved beyond the Extended Support date. Please call 1-800-Microsoft to receive support.

For security updates only, customers can receive Extended Security Updates on the following products for free:

SQL and Windows Server 2008/R2: Customers who move workloads to Azure Virtual Machines (IaaS) «as-is» will have free access to Extended Security Updates for both SQL Server and Windows Server 2008 and 2008 R2 for three years after the End of Support.

Windows 7: Microsoft Windows Virtual Desktop provides a Windows 7 device with free Extended Security Updates through January 2023.

Dynamics AX 2009 and AX 2012/R2: Dynamics customers who purchase Dynamics 365 Finance, Dynamics 365 Supply Chain, or Dynamics 365 Commerce with the intent to start their migration to the cloud will receive Extended Security Updates (ESU) at no charge. Go here to learn more.

How can I purchase ESUs?

Extended Security Updates are available through specific volume licensing programs. Contact your Microsoft partner or account team to learn more. ESUs for select Embedded products are available via your embedded device manufacturer. For ESUs available through the Dynamics 365 Cloud Migration offer, customers can purchase via the Cloud Service Provider (CSP) licensing program.

Coverage will be available in three consecutive 12-month increments following End of Support. Customers cannot buy partial periods (e.g., only 6 months). Extended Security Updates are transacted per year (12-month period), commencing with the End of Support date.

Eligible customers can use the Azure Hybrid Benefit (available to customers with active Software Assurance or Server Subscriptions) to obtain discounts on the license of Azure Virtual Machines (IaaS) or Azure SQL Database Managed Instance (PaaS).

Does Unified Support include ESUs?

No, customers must purchase ESU support separate from Unified Support. Once ESU support is purchased, customers can get technical support for products covered by the program.

How do I install ESU updates?

SQL Server 2008/R2: Once SQL Server instances have been registered with the SQL Server registry service, customers can download the Extended Security Update packages using the link found in the Azure portal, if and when they are made available. Go here to learn more.

Can I use System Center Configuration Manager (SCCM) to deploy Extended Security Updates?

Customers who have purchased Windows ESUs can use the latest version of System Center Configuration Manager, Current Branch (SCCM) to deploy and install Windows security updates.

SCCM 2012 R2 will not be supported on Windows 7 or Windows Server 2008/R2 operating systems during their respective ESU phases.

For more information, go here.

What versions of .NET are supported on Windows during their respective Extended Security Update (ESU) phases?

.NET 3.5 SP1, .NET 4.5.2 and .NET 4.6 are supported during the Windows Server 2008 ESU.

.NET 3.5. SP1, and .NET 4.5.2 through .NET 4.8 are supported during Windows Server 2008 R2 and Windows 7 ESU phases.

How can I learn more?

To learn more about the Extended Security Update Program, and End of Support and migration options for Window 7 and SQL and Windows Server 2008/R2, see the following articles:

Change Log

January 2020 edits
EDITED: URLs for SQL Server 2008/R2 ESU FAQs and Resources

July 2020 edits
EDITED: ESU end date year 2 for Windows Embedded Standard 7

November 2020 edits
ADDED: ESU end date year 2 for Windows 7 and Windows Server 2008
ADDED: Link to getting ESU for Windows Embedded 7 Standard

January 2021 edits
ADDED: Links to the Windows 7 ESU FAQ

March 2021 edits
ADDED: Dynamics 365 ESU details