locked
Automatically install Defender definitions on Server 2016 not working RRS feed

  • Question

  • We have an auto approval rule for definition updates plus the GPO to automatically install updates that don't interrupt running services or require rebooting applied to our clients including servers.

    The servers are getting the updates but the definitions queue up waiting to be manually installed on these servers.

    What else do we need to do to make these updates install automatically?

    Tuesday, June 5, 2018 12:40 AM

All replies

  • Hi Kalimanne,

    Thanks for your information. In order to avoid any misunderstanding, please kindly confirm below details:

    1. Could you please advise whether only definition updates need to be installed manually, and the other updates could be automatically installed?
    2. Could you please provide the details of your auto approval rule and GPO setting? It will be very helpful if you could send the screenshots of those setting.

    Moreover, we could also use "gpresult/r" in command prompt(administrator) to double check our GPO setting. Please kindly refer to this link for more about "gpresult":

    https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/gpresult

    Look forward to receiving your reply with thanks.

    Best Regards

    Tina Cao

    ==================================

    Please remember to mark the replies as answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, June 6, 2018 6:28 AM
  • We want manually install updates on these servers *EXCEPT* Defender definition updates. 

    We need the definition updates to install automatically as soon as they are detected.

    Wednesday, June 6, 2018 6:56 PM
  • Hi Kalimanne,

     

    Thanks for your screenshots.

    Considering you selected "3. Auto download and notify for install" in your Configure Automatic Updates Properties. In this way, we will receive notification of updates and need to install manually as you mentioned.

    Please try to select "4. Auto download and schedule for install", and then we could set a schedule to install the updates automatically during a maintenance time.

    BTW, based on my experience, the GPO setting is apply to all updates. So it is hard for WSUS to install definition updates automatically only and install other updates manually.

     

    Hope above information helps.

     

    Best Regards

    Tina Cao

    ==================

    Please remember to mark the replies as answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Thursday, June 7, 2018 6:59 AM
  • These updates are for servers that we cannot have automatically reboot every day or every week.  We schedule maintenance windows weeks in advance.

    We only want the definition updates to install automatically so that we have control over server restarts.

    Thursday, June 7, 2018 1:03 PM
  • We may need to get rid of Windows Defender if it can't update it's definitions independently of other Windows updates.  It isn't very useful if the definitions are not up to day and this update process seems poorly designed.

    We have third party antivirus available, but the Get-WindowsUpdatesLog command fails with errors if the Windows Defender feature isn't installed on Server 2016.

    How can we access Windows Update logs without installing Windows Defender?

    Thursday, June 7, 2018 2:15 PM
  • Hi Kalimanne,

     

    Thanks for your screenshots.

    Considering you selected "3. Auto download and notify for install" in your Configure Automatic Updates Properties. In this way, we will receive notification of updates and need to install manually as you mentioned.

    Please try to select "4. Auto download and schedule for install", and then we could set a schedule to install the updates automatically during a maintenance time.

    BTW, based on my experience, the GPO setting is apply to all updates. So it is hard for WSUS to install definition updates automatically only and install other updates manually.

     

    Hope above information helps.

     

    Best Regards

    Tina Cao

    ==================

    Please remember to mark the replies as answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    This page says this about option 3.

    https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016

    3 Download updates but let me choose whether to install them. This value allows Windows Defender to download and install definition updates automatically, but other updates are not automatically installed.

    Why is this not working?

    Friday, June 8, 2018 12:39 AM
  • Hi Kalimanne,

    Further to our discussion, according to below explanation, we could see the option 3 as you mentioned is related to the AUOptions registry key.

    Please kindly double check whether AUOptions registry key is 3 in your server. You could check by run "regedit" in cmd, below image for your reference.

    BTW, we will try to repo this issue in our lab environment and it will takes some time. We will keep you posted.
    Hope above information helps.

    Best Regards
    Tina Cao

    ===============

    Please remember to mark the replies as answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, June 8, 2018 9:34 AM
  • We are still having this issue.

    There is a policy available called "Allow Automatic Updates Immediate Installation" that does what I want.

    It's supposed to automatically install updates that don't require stopping services or restarting the computer.

    Definition updates fit this.

    I configured it, but it still doesn't automatically install definition updates for us on Server 2016.

    The Windows Defender definition update shown above should have installed automatically based on this setting.

    The registry screen shot below shows that the policy is applied.

    Tuesday, August 14, 2018 7:01 PM
  • One possible way to handle this situation is to only approve the defender definitions every day to install and only approve the rest of the updates on the day you want them to install. 

    Wednesday, August 15, 2018 9:18 PM

  • BTW, we will try to repo this issue in our lab environment and it will takes some time. We will keep you posted.

    Any update on this?
    Wednesday, October 31, 2018 7:02 AM
  • It's 2019, and I'm seeing something very similar on our servers.

    Any updates?

    Friday, February 15, 2019 10:21 AM
  • we have this issue on our servers also, 2016 and 2019
    Thursday, August 8, 2019 9:16 PM
  • Same issue on our servers 2012 R2, 2016 and 2019

    any updates?

    Tuesday, September 3, 2019 2:18 PM
  • Any update yet?
    Wednesday, October 9, 2019 2:47 AM
  • I tried also to schedule powershell command

    Update-MpSignature

    but the problem persists

    • Edited by Ced-Chiavari Tuesday, December 17, 2019 11:57 AM
    Tuesday, December 17, 2019 11:56 AM
  • We have this problem on one domain that I manage but not on the other one.  I haven't been able to find a solution so far but it's annoying that every time I log into a server on the second domain I get prompted with the stupid Updates prompt.  And since Microsoft got rid of the No/Cancel button 2016, I have to view the stupid update screen and close it every time.

    Did anyone even find a fix?

    Monday, March 9, 2020 4:45 PM