Manage Learn to apply best practices and optimize your operations.

Defender PowerShell Hash Mismatches Fix Coming

Last month,  I wrote a blog post here about co-called “corrupt file” messages originating in SFC /scannow. On Friday, August 16, Microsoft published a support note on this issue. It not only explains and acknowledges the problem, it also promises a fix. The good news is that fix will take the form of a new Antimalware Platform update. Specifically,  it will carry version number 4.8.1908. The bad news is that the fix is not yet in. I couldn’t even find a download source for that promised next version. A quick check of my Win10 machines, including current-version 1903 PCs and various Insider Previews, shows most of them at version 4.8.1907. That’s why I entitled this post Defender PowerShell hash mismatches fix coming.

What Causes Defender PowerShell Hash Mismatches?

MS offers an explanation and scope for this issue in the Support note entitled “System File Checker (SFC) incorrectly flags Windows Defender PowerShell Module Files as corrupted.” It points specifically to the Windows 10 folder %windir%\System32\WindowsPowerShell\v1.0\Modules\Defender. In the original Windows image, such files use catalog signing. But Windows Defender’s newest manageability component uses an out-of-band (OOB) update channel.Original files give way to updated versions that use a trusted Microsoft certificate instead. Because this differs from the original signing mechanism, file hashes do not match. Thus, SFC flags them as potentially damaged or corrupted with the annotation “Hashes for file member do not match.”

When Is the Defender PowerShell Hash Mismatches Fix Coming?

The Defender update code needs to change to avoid this new and different, but still valid, update mechanism for Windows Defender elements. The note says: “Once this change is implemented, SFC will no longer flag the files.”According to Microsoft, “[t]his issue is fixed in the version 4.8.1908 of Windows Defender. After this update is applied, PowerShell files that are part of the Windows image are not changed, and the SFC tool no longer flags these files.”

MS goes onto recommend the same mitigation/workaround that I described in my previous blog post on this topic. Running dism /online /cleanup-image /restorehealth will replace the new Defender-supplied PowerShell files with the originals from the installed Windows image. Then, SFC /scannow will be able to repair the files it scans on a first pass thereafter, and provide a clean bill of health on the second following pass.

When is 4.8.1908 coming?

We’re talking about the version associated with the antimalware engine for Windows Defender. You can tell what version is running by inspecting the contents of a specific Windows 10 folder:
%ProgramData%/Microsoft/Windows Defender/Platform. The names of its subfolders match the version number. As shown here, the highest numbered folder represents the current antimalware engine version for Windows Defender (see red arrow):

The higher numbered folder (41.18.1907…) represents the current running antimalware platform version
[Click image for full-sized view.]

Of course, as fate would have it, the current version is one level BELOW the promised version that will fix this problem. I checked my Insider Preview and other Win10 PCs (the preceding screen cap is from a Win10 Pro 1903 PC running Build 18362.295). All are running that version, except for Win10 Enterprise 1903 Build 18362.295: it’s running version 4.12.17007.18011-0, dated January 20, 2018. Who knows when MS will drop the new version that will fix the issue? We’ll all be finding out, I guess — hopefully sooner, rather than later!