1 pointAlso Windows Defender might have options to do live cloud verification or other levels of threat verification like generic heuristics. Is the web connection enabled in the VM and all Windows Defender settings the same? Virustotal style hash checking and stuff are becoming more common in antivirus apps lately for having access to a more up to date and broader database that allows vendors to find viruses earlier as well. Could even be some random spyware setting in your Windows account profile usually under the title of "help Microsoft improve our products and user experience" type of option. Or Windows Defender is so smart that it knows when you are in a VM or sandbox probably you are studying the viruses and do not want to block them. But doubt it
1 pointUpdates between Windows 10 machines are not always equal regardless of what date/version things say. They roll things out in batches and based on each devices hardware and other qualifying identifiers. Windows Defender symbols and definitions work in a similar manner. So both of your setups may show the same version of WD, but the definitions could be different as one of the machines probably hasn't gotten "permission" to obtain the latest stuff yet. That said, the detection difference could just be an updated difference in the definitions they pushed or that the way WD detected things was done in a different order. (Pretty sure their scanner does multi-threaded scans for performance purposes so one of the threads may have hit the other detection before another thread completed etc. and it just shows what was found first.)
1 pointyou shouldn't be using WD in first place.