KB5007651 is the update Microsoft uses to deliver new versions of the Windows Security platform — the underlying antimalware engine that powers Microsoft Defender. Unlike cumulative Windows updates, KB5007651 ships independently through Windows Update and carries its own version number. It affects Windows 10 and Windows 11 systems alike, and it has been a persistent source of frustration for users since early 2023. The most common complaint is that the update appears to install successfully but then reappears in the update queue, sometimes daily, creating an endless reinstallation loop.
Quick answer: If KB5007651 keeps reinstalling, stop the Windows Update service, delete the contents of C:\Windows\SoftwareDistribution\, restart the service, then check for updates again and reboot. If you run third-party antivirus software, temporarily disable it before performing these steps.
Why KB5007651 keeps showing up
The root cause varies depending on the version of KB5007651 being offered and your system configuration. In many cases, the update installs at the system level but fails to fully register with the Windows Security app (specifically the Microsoft.SecHealthUI component), so Windows Update continues to flag it as pending. This behavior is especially common on machines running third-party antivirus software such as Norton 360, ESET NOD32, or Bitdefender GravityZone, because those products disable parts of the Defender engine that KB5007651 tries to update.
There is also a confirmed quirk where the update only completes properly when a user is actively logged in. If the update runs during a maintenance window or via a remote management tool while no interactive session is active, Event Viewer may log a successful installation, but the update reappears on the next scan. This has been observed across Dell desktops and laptops running Windows 11 with various RMM platforms.
The 2023 LSA protection bug — a brief history
KB5007651 gained notoriety in February 2023 when version 1.0.2302.21002 broke the Local Security Authority (LSA) protection toggle in the Windows Security app on Windows 11 22H2. After installing the update, the Device Security page displayed a yellow warning triangle and the message "Local Security Authority protection is off. Your device may be vulnerable." Attempting to enable the toggle and rebooting did not resolve the warning — it looped indefinitely.
The underlying issue was a missing registry value. Under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa, the DWORD value RunAsPPL was set to 2 as expected, but a second required value — RunAsPPLBoot — was never created by the update. Windows Insider Dev builds had this value present by default, which is why the bug did not surface during preview testing.
Microsoft acknowledged the problem in March 2023 and added it to the Windows 11 known issues list. An attempted fix in April 2023 (version 1.0.2303.27001) introduced hardware-enforced stack protection (kernel-mode), but that revision caused blue screens and application crashes for some users, prompting Microsoft to halt its distribution. A subsequent version, 1.0.2303.28002, also failed to fully resolve the LSA warning and introduced crashes in SecurityHealthService.exe.
The LSA loop was finally resolved in July 2023 with version 1.0.2306.10002, which restored the LSA protection toggle and eliminated the false warning. Microsoft confirmed the fix in the Windows 11 Health Status Dashboard. However, some users continued to report intermittent SecurityHealthService.exe crashes and missing context menus on the Defender taskbar icon even after that update.
Versions of KB5007651 in the Microsoft Update Catalog
Microsoft periodically publishes new builds of KB5007651 to the Update Catalog. The three most recent entries are listed below.
| Version | Last Updated | Size |
|---|---|---|
| 10.0.29429.1000 | October 14, 2025 | 37.9 MB |
| 10.0.27840.1000 | May 22, 2025 | 37.9 MB |
| 10.0.27703.1006 | January 8, 2025 | 37.6 MB |
The version number increments with each monthly release, but the KB article number stays the same. This is why you may see KB5007651 appear month after month — it is not the same update reinstalling, but a new revision being offered. The reinstallation loop occurs when the previous version fails to register as complete, so the newer version keeps getting queued.
Fix the reinstallation loop by clearing the SoftwareDistribution folder
The most widely effective workaround involves resetting the Windows Update cache. This forces Windows to download and apply the update cleanly.
Step 1: If you have third-party antivirus software installed, temporarily disable its real-time protection. Some products interfere with the Defender platform update because they disable the Defender AV module, which prevents KB5007651 from completing its registration.
Step 2: Open an elevated Command Prompt or PowerShell window and stop the Windows Update service by running net stop wuauserv. You may also want to stop the BITS service with net stop bits.
Step 3: Navigate to C:\Windows\SoftwareDistribution\ and delete everything inside the folder. This removes cached update files and metadata. Windows will recreate the folder contents on the next update check.
Step 4: Restart the services with net start wuauserv and net start bits.
Step 5: Open Settings → Windows Update and click "Check for updates." Let Windows download and install any available updates, including the new version of KB5007651. Restart your computer when prompted.
Step 6: Re-enable your third-party antivirus software after the reboot.
After completing these steps, check your update history to confirm KB5007651 shows as successfully installed. If the update does not reappear on the next manual check, the loop is broken.
Additional considerations for managed environments
System administrators deploying updates through tools like NinjaRMM, Intune, or WSUS should be aware that KB5007651 may report as failed when pushed to machines without an active user session. The update appears to require an interactive logon to finalize the Microsoft.SecHealthUI app registration. One practical approach is to schedule the update during business hours when users are logged in, or to trigger a follow-up compliance scan after the next user logon.
For environments using Bitdefender GravityZone or similar endpoint protection that fully replaces the Defender engine, the KB5007651 update may perpetually cycle because the Defender AV module it targets is intentionally disabled. In these cases, you can suppress the update through your patch management tool or accept the cosmetic failure, since the underlying security platform components still get updated.
How to verify your current Windows Security platform version
Open the Windows Security app, click the gear icon to access Settings, and select "About." The version of the Windows Security service is listed there. You can compare this number against the version offered in Windows Update to determine whether the latest KB5007651 revision has been applied. If the installed version matches or exceeds the offered version and the update still reappears, the SoftwareDistribution reset described above is the most reliable fix.
KB5007651 has been a recurring headache since 2023, cycling through LSA protection bugs, blue screens, SecurityHealthService.exe crashes, and reinstallation loops across multiple Windows 11 releases. While Microsoft has resolved the most severe issues through successive platform updates, the reinstallation loop continues to surface for some users — particularly those running third-party antivirus or managing fleets of devices remotely. Clearing the update cache remains the most dependable workaround when the loop strikes again.
