Event ID 2001 — Product Name has encountered an error trying to update security intelligence.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational
Level: Error
Collection Priority: Recommended (Microsoft-Defender, others)

Description

Product Name has encountered an error trying to update security intelligence.

Message #

%1 has encountered an error trying to update security intelligence.
 	New security intelligence Version: %3
 	Previous security intelligence Version: %4
 	Update Source: %6
 	Security intelligence Type: %12
 	Update Type: %14
 	User: %8\%9
 	Current Engine Version: %15
 	Previous Engine Version: %16
 	Error code: %17
 	Error description: %18

Fields #

Name	Description
`Product Name`	—
`Product Version`	—
`Current security intelligence Version`	—
`Previous security intelligence Version`	—
`Update Source Index`	—
`Update Source`	—
`Unused` UnicodeString	—
`Domain` UnicodeString	—
`User` UnicodeString	—
`SID` UnicodeString	—
`Security intelligence Type Index`	—
`Security intelligence Type`	—
`Update Type Index`	—
`Update Type`	—
`Current Engine Version`	—
`Previous Engine Version`	—
`Error Code`	—
`Error Description`	—
`Update State Index`	—
`Update State`	—
`Source Path`	—
`ProductName` UnicodeString	—
`ProductVersion` UnicodeString	—
`CurrentsecurityintelligenceVersion` UnicodeString	—
`PrevioussecurityintelligenceVersion` UnicodeString	—
`UpdateSourceIndex` UnicodeString	—
`UpdateSource` UnicodeString	—
`SecurityintelligenceTypeIndex` UnicodeString	—
`SecurityintelligenceType` UnicodeString	—
`UpdateTypeIndex` UnicodeString	—
`UpdateType` UnicodeString	—
`CurrentEngineVersion` UnicodeString	—
`PreviousEngineVersion` UnicodeString	—
`ErrorCode` UnicodeString	—
`ErrorDescription` UnicodeString	—
`UpdateStateIndex` UnicodeString	—
`UpdateState` UnicodeString	—
`SourcePath` UnicodeString	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Windows Defender",
    "guid": "11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78",
    "event_source_name": "",
    "event_id": 2001,
    "version": 0,
    "level": 2,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-09T01:17:06.846703+00:00",
    "event_record_id": 1315,
    "correlation": {
      "ActivityID": "4BE4BD99-4F61-4990-9CE4-215B5E5A9104"
    },
    "execution": {
      "process_id": 3728,
      "thread_id": 5300
    },
    "channel": "Microsoft-Windows-Windows Defender/Operational",
    "computer": "LAB-WIN11",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "Product Name": "Microsoft Defender Antivirus",
    "Product Version": "4.18.26010.5",
    "Current security intelligence Version": "",
    "Previous security intelligence Version": "1.445.426.0",
    "Update Source Index": "7",
    "Update Source": "Microsoft Update Server",
    "Unused": "",
    "Domain": "NT AUTHORITY",
    "User": "SYSTEM",
    "SID": "S-1-5-18",
    "Security intelligence Type Index": "1",
    "Security intelligence Type": "AntiVirus",
    "Update Type Index": "1",
    "Update Type": "Full",
    "Current Engine Version": "",
    "Previous Engine Version": "1.1.26010.1",
    "Error Code": "0x8007045b",
    "Error Description": "A system shutdown is in progress. ",
    "Update State Index": "1",
    "Update State": "Search",
    "Source Path": "Default URL"
  },
  "message": ""
}

References #

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/