none
Software Restriction Policy breaks Windows Defender definition updates RRS feed

  • Question

  • I've seen a lot of threads with 0x80070643 errors trying to install definition updates, and they seem to do with another computer security product interfering with it. In my case, it appears one built-in Windows security product is breaking another.

    Definition updates always fail on Windows 10 Pro and Enterprise if I have Software Restriction Policy enabled, and if I use a default enforcement of Disallowed that applies to all users except local admins. My Allow rules past that will include the OS folder, Program Files, and Program Files (x86), and I'll add additional rules as needed to fix broken applications.

    Using SRP in this fashion worked fine on Windows 8 and Windows 8.1, where definition updates installed without difficulty.

    Let me make that clear: This worked on Windows 8.

    Something changed in Windows 10, specifically with definition updates though, because other updates install without difficulty. Even a local non-admin can apply OS and MS application updates, such as those for MS Office, without errors. it's just the definition updates that get blocked.

    To reproduce the problem, follow these steps:

    • Install Windows 10 Pro or Enterprise, using default settings.
    • Create a local administrator user (done during installation) and a local non-admin user. These can be Microsoft accounts or local accounts, or one can use domain accounts in a domain.
    • Launch gpedit.msc as the admin user, and enable Software Restriction Policy. Use the default enforcement of Unrestricted for now.
    • Create these additional rules: C:\Windows / Unrestricted, C:\Program Files / unrestricted, C:\Program Files (x86) / unrestricted. You'll likely need to delete or edit the existing rules; some Store apps don't like the environment variable paths.
    • Change the Enforcement setting to apply SRP to all software files (including DLLs), all users except local admins, and allow or ignore certificate rules as you wish.
    • Only here do you change the default security level to Disallowed.
    • Finally, restart the PC.

    With this config, non-admins can only launch applications installed in Program Files or in the Windows folder. Admins subject to User Account Control will be treated as non-admins unless they right-click on the application and pick Run as Administrator; this way it's possible to install applications and not violate the SRP rules.

    Now... try to install a definition update. Error 0x80070643, which I suspect is ACCESS_DENIED, happens. Meanwhile, other updates will install. Applications actually certified for current editions of Windows will work. Old apps Designed for Windows XP will work. Store apps will work.

    What is Windows Defender doing on 10 that is different from what it did on 8? Is it trying to install using a special user account that doesn't have admin access? Is the SYSTEM user or the TrustedInstaller user subject to SRP, now? And if so, why only definition updates and not other updates?

    --

    Thursday, August 18, 2016 3:48 PM

Answers

  • Got it!

    Windows 10's Windows Defender puts DLLs in a folder in %allusersprofile%, which on 10 is c:\ProgramData\Microsoft\Windows Defender. This is different from 8 and 8.1, which had definition updates operate out of a Program Files folder.

    Adding an Unrestricted Path rule to SRP that covers C:\ProgramData\Microsoft\Windows Defender solves this problem, letting DLLs used by the definition updater mpsigstub.exe load and run. While I don't like adding path exceptions for anything in ProgramData or %allusersprofile%, after all it's for program data, not programs, this one isn't as bad because the folder in question has no permissions enabled for admins or non-admins alike.

    Enabling log tracing for SRP didn't work because it didn't list DLLs as Unrestricted or Disallowed; only EXE and other listed file types. I had to use Process Monitor to find out where mpsigstub.exe and am_delta.exe were looking.

    This might help with other security applications that interfere with Windows Defender's definition updates as well. Adding an exception for this ProgramData folder might work.

    While not an ideal answer, this is an acceptable one because of the additional security ACLs put on the affected folder.

    • Marked as answer by Gordon Fecyk Friday, August 19, 2016 8:59 PM
    Friday, August 19, 2016 8:59 PM

All replies

  • Hi,

    Please refer to this link for assistance, I advise you Manually download the latest updates and install them.

    Updating your Microsoft antimalware and antispyware software

    https://www.microsoft.com/security/portal/definitions/adl.aspx?wa=wsignin1.0

    In addition, try to use DISM /Online /Cleanup-image /Restorehealth command to repair system image.

    I search online for a long time, there is a user also use SRP and don’t meet with Windows defender definition updates issue, you can check it. Update your system to the latest version to test again

    http://www.tenforums.com/antivirus-firewalls-system-security/4747-windows-10041-cannot-update-windows-defender.html

    Please Note: Since the website is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

    Regards


    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, August 19, 2016 6:21 AM
    Moderator
  • Like in the other cases where users are running into this particular error when applying definition updates, applying manual updates will work. This doesn't fix the original problem, where Software Restriction Policy impacts definition updates.

    This defeats the purpose of automatic updates. Would you like me to write a script that schedules a download and installation of the mpam-fe full update as well? Isn't this what Windows Update and WSUS are for?

    Warning: If another moderator flags Teemo's response as an answer, I will flag said moderator as abusive as well. I'm tired of these definition update non-answers being validated as answers.


    Friday, August 19, 2016 7:59 PM
  • Got it!

    Windows 10's Windows Defender puts DLLs in a folder in %allusersprofile%, which on 10 is c:\ProgramData\Microsoft\Windows Defender. This is different from 8 and 8.1, which had definition updates operate out of a Program Files folder.

    Adding an Unrestricted Path rule to SRP that covers C:\ProgramData\Microsoft\Windows Defender solves this problem, letting DLLs used by the definition updater mpsigstub.exe load and run. While I don't like adding path exceptions for anything in ProgramData or %allusersprofile%, after all it's for program data, not programs, this one isn't as bad because the folder in question has no permissions enabled for admins or non-admins alike.

    Enabling log tracing for SRP didn't work because it didn't list DLLs as Unrestricted or Disallowed; only EXE and other listed file types. I had to use Process Monitor to find out where mpsigstub.exe and am_delta.exe were looking.

    This might help with other security applications that interfere with Windows Defender's definition updates as well. Adding an exception for this ProgramData folder might work.

    While not an ideal answer, this is an acceptable one because of the additional security ACLs put on the affected folder.

    • Marked as answer by Gordon Fecyk Friday, August 19, 2016 8:59 PM
    Friday, August 19, 2016 8:59 PM
  • I got the same issue too. thanks for your solution

    thank you, Khalid

    Saturday, December 3, 2016 1:06 AM