locked
Windows Server 2016 Essentials - Old Defender definition update keeps installing RRS feed

  • 질문

  • Hello,


    Have a Windows Server 2016 Essentials box that keeps downloading an old Defender definition update, but thankfully installs the current update afterwards. From event logs for WindowsUpdateClient:


    • 4/15/2020 4:18:16 PM Installation Started: Windows has started installing the following update: Security Intelligence Update for Windows Defender Antivirus - KB2267602 (Version 1.311.144.0)
    • 4/15/2020 4:18:21 PM Installation Successful: Windows successfully installed the following update: Security Intelligence Update for Windows Defender Antivirus - KB2267602 (Version 1.311.144.0)
    • 4/15/2020 4:18:28 PM Installation Started: Windows has started installing the following update: Security Intelligence Update for Windows Defender Antivirus - KB2267602 (Version 1.313.1607.0)
    • 4/15/2020 4:18:28 PM Installation Successful: Windows successfully installed the following update: Security Intelligence Update for Windows Defender Antivirus - KB2267602 (Version 1.313.1607.0)
    • 4/15/2020 4:18:55 PM Installation Started: Windows has started installing the following update: Security Intelligence Update for Windows Defender Antivirus - KB2267602 (Version 1.311.144.0)
    • 4/15/2020 4:19:00 PM Installation Successful: Windows successfully installed the following update: Security Intelligence Update for Windows Defender Antivirus - KB2267602 (Version 1.311.144.0)
    • 4/15/2020 4:23:44 PM Installation Started: Windows has started installing the following update: Security Intelligence Update for Windows Defender Antivirus - KB2267602 (Version 1.313.1607.0)
    • 4/15/2020 4:23:44 PM Installation Successful: Windows successfully installed the following update: Security Intelligence Update for Windows Defender Antivirus - KB2267602 (Version 1.313.1607.0)


    And so on and so on. It's always 1.311.144.0 that's installed prior to whatever the current one is. Been going on for weeks. Other than PowerChute Business Edition for UPS management I don't have anything installed on here, and PowerChute was installed when this server was deployed a few years ago.


    Appreciate any ideas on this. Would be thankful to have the emailed health reports stop telling me updates are missing when they're not.


    Regards,

    Aaron


    • 편집됨 Aaron Hulett 2020년 4월 15일 수요일 오후 11:51
    2020년 4월 15일 수요일 오후 11:22

답변

  • To close on this, as much as I'd like to explain things, as a Microsoft alumni I leave it for Microsoft to determine if it wants to disclose the details on what happened. The issue resolved after a recent definition update is as much detail as I'll give - updates are no longer looping, and health reports are accordingly showing things are up to date.

    Regards,

    Aaron


    • 답변으로 표시됨 Aaron Hulett 2020년 8월 1일 토요일 오전 12:01
    • 편집됨 Aaron Hulett 2020년 8월 1일 토요일 오전 12:02 Explain that updates are no longer looping as described in the original issue post.
    2020년 8월 1일 토요일 오전 12:01

모든 응답

  • HI
    1."And so on and so on. It's always 1.311.144.0 that's installed prior to whatever the current one is. "
    what's the current version of windows defender? is it version 1.311.144.0 or version 1.313.1607.0 ?
    from your description , 
    Defender definition update can not upgrade from version 1.311.144.0 to version 1.313.1607.0 ,is it ture?
    2.have you installed the other latest update for your wse2016 ?
    (
    Note: Starting on Monday October 21, 2019, the Security intelligence update packages will be SHA2 signed.Please make sure you have the necessary update installed to support SHA2 signing )

    3.can we run below command in command prompt(open as admin)then check if it can find and solve system file issue?
    0).open Command Prompt as Admin on issue wse2016 .
    1).enter sfc /scannow  
    dism /online /cleanup-image /scanhealth  
    dism /online /cleanup-image /restorehealth
    and wait it finish to fix manifest and system file then go to step 2.
    2).Now type the following commands to stop Windows Update Services and then hit Enter after each one:
    net stop wuauserv
    net stop cryptSvc
    net stop bits
    net stop msiserver
    3).Next, type the following command to rename SoftwareDistribution Folder and then hit Enter:
    ren C:\Windows\SoftwareDistribution SoftwareDistribution.old
    ren C:\Windows\System32\catroot2 catroot2.old
    4).Finally, type the following command to start Windows Update Services and hit Enter after each one:
    net start wuauserv
    net start cryptSvc
    net start bits
    net start msiserver
    5).Reboot your server to save changes.


    4.if the problem persist ,can we
    download and install manual updates from here:

    https://www.microsoft.com/en-us/security/portal/definitions/adl.aspx



    Best Regards
    Andy YOU
    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.




    2020년 4월 16일 목요일 오전 5:53
  • Hi Andy,

    Thanks for following up and providing some steps to try. Let me go through each of them:

    --- 1 ---
    No, that's not true.

    Current version info:

    Antimalware Client Version: 4.18.2003.8
    Engine Version: 1.1.16900.4
    Antivirus definition: 1.313.1758.0
    Antispyware definition: 1.313.1758.0
    Network Inspection System Engine Version: 1.1.16900.4
    Network Inspection System Definition Version: 1.313.1758.0


    Windows Update is standing by to install 1.311.144.0. When it does install, the update will install successfully, and then Windows Update will immediately check for updates again, find the *current* definition update and install it successfully. At this point Windows Update shows the system is up to date. When the system checks for updates again, whether manually or waiting for the box to do it on its own, and it'll again say it needs to install 1.311.144.0, and this experience repeats. Thankfully, Defender keeps and uses the latest definition set, it's only during the updating that 1.311.144.0 gets installed for about 20 seconds or so.

    --- 2 ---
    The system is fully updated.

    --- 3.1 ---
    System File Checker found some corrupt files but could not repair.

    Could not reproject corrupted file \??\C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Defender\MSFT_MpThreatCatalog.cdxml; source file in store is also corrupted
    Could not reproject corrupted file \??\C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Defender\Defender.psd1; source file in store is also corrupted
    Could not reproject corrupted file \??\C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Defender\MSFT_MpWDOScan.cdxml; source file in store is also corrupted
    Could not reproject corrupted file \??\C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Defender\MSFT_MpSignature.cdxml; source file in store is also corrupted
    Could not reproject corrupted file \??\C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Defender\MSFT_MpThreat.cdxml; source file in store is also corrupted
    Could not reproject corrupted file \??\C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Defender\MSFT_MpComputerStatus.cdxml; source file in store is also corrupted
    Could not reproject corrupted file \??\C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Defender\MSFT_MpScan.cdxml; source file in store is also corrupted
    Could not reproject corrupted file \??\C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Defender\MSFT_MpThreatDetection.cdxml; source file in store is also corrupted
    Could not reproject corrupted file \??\C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Defender\MSFT_MpPreference.cdxml; source file in store is also corrupted

    Cannot repair member file [l:26]'MSFT_MpThreatCatalog.cdxml' of Windows-Defender-Management-Powershell, version 10.0.14393.0, arch amd64, nonSxS, pkt {l:8 b:31bf3856ad364e35} in the store, hash mismatch


    Deployment Image Servicing and Management /scanhealth reports "The component store is repairable."

    DISM /restorehealth could not find source files (0x800f081f).

    --- 3.2/3.3/3.4 ---
    I can't take the box down until later tonight, but I'll go through these steps and update once completed.

    Thank you again, let me know if there's anything else I should try, and again, I'll roll through clearing the software distribution folder later this evening.

    Regards,

    Aaron

    • 편집됨 Aaron Hulett 2020년 4월 17일 금요일 오후 11:44
    2020년 4월 17일 금요일 오후 8:13
  • Completed the last set of steps. Same scenario - Windows Update offers the older definition version and install it, and then immediately find the current one and install it, at that point claiming things are up to date. If WU checks again for updates, the older definition update is listed as available, and the issue repeats.

    • 편집됨 Aaron Hulett 2020년 4월 17일 금요일 오후 11:44
    2020년 4월 17일 금요일 오후 11:39
  • HI

    There are 2 documents for your reference.

    How to fix Error Code 0x800F081F while installing Microsoft .NET Framework 3.5 on Windows?
    https://ugetfix.com/ask/how-to-fix-error-code-0x800f081f-while-installing-microsoft-net-framework-3-5-on-windows/
    FIX: Windows Defender Feature Installation Failed–Source files could not be found in Server 2016 (Solved)
    https://www.wintips.org/fix-windows-defender-feature-installation-failed-source-files-could-not-be-found-in-server-2016/


    Best Regards
    Andy YOU
    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    2020년 4월 21일 화요일 오후 2:47
  • I have absolutely the same problem and have done all the steps that you are describing there by myself. They didn't helped.

    Best Regards

    Sven-André Peters

    2020년 4월 22일 수요일 오후 1:07
  • Have absolutely the same problem. do you have a solution? Have done so many things. I don't know any further.

    Regards,

    Sven-André Peters

    2020년 4월 22일 수요일 오후 1:09
  • I think where you were headed, base on those two links, was for me to get the box in a place where I could complete the repair.

    I pulled the install.wim from the install media, updated it with the latest servicing stack update and cumulative update so it'd have parity with what's installed on the box, and then used system file checker and DISM to make those repairs, which completed successfully. SFC and DISM both show no more issues:

    • C:\Windows\system32>sfc /scannow

      Beginning system scan.  This process will take some time.

      Beginning verification phase of system scan.
      Verification 100% complete.

      Windows Resource Protection did not find any integrity violations.
    • C:\Windows\system32>dism /online /cleanup-image /scanhealth

      Deployment Image Servicing and Management tool
      Version: 10.0.14393.3241

      Image Version: 10.0.14393.3241

      [==========================100.0%==========================] No component store corruption detected.
      The operation completed successfully.

    After rebooting a few times and running those checks several more time to ensure nothing new was found, I then reset Windows Update components again using the steps you provided earlier.

    Unfortunately the issue still occurring, as I'm continuing to get offered and having definition version 1.311.144.0 install, followed by the current one.

    So for fun (and because I have the updated WIM now), rebooted, disabled Windows Defender via Dism /online /Disable-Feature /FeatureName:Windows-Defender /Remove /NoRestart /quiet, rebooted, and then ran Windows Update to see if I was offered the old, or any, definition update (I was not). Then I installed Windows Defender via the updated WIM with Dism /Online /Enable-Feature /FeatureName:Windows-Defender /all /source:WIM:C:\install.wim:1 /LimitAccess, and I'm still seeing this issue.

    What else can I check/try?

    Regards,

    Aaron

    2020년 4월 26일 일요일 오전 6:37
  • Any additional things to try here?
    2020년 5월 4일 월요일 오후 8:37
  • Checking in - it's challenging having the daily server email report say updates missing when it's this issue. Any additional info I can provide to help research this?
    2020년 5월 8일 금요일 오후 8:21
  • Still looking to resolve this and would appreciate any update. Is someone looking at this / will follow up?
    2020년 5월 14일 목요일 오후 8:25
  • Hi Aaron,

    No solution unfortunately - just adding to observations.

    I am experiencing the same issue on one node of a 2016 S2D Cluster (4 nodes in total). It's been happening for the past couple of days. 

    Windows successfully installed the following update: Security Intelligence Update for Windows Defender Antivirus - KB2267602 (Version 1.311.144.0)

    Followed by 

    Installation Started: Windows has started installing the following update: Security Intelligence Update for Microsoft Defender Antivirus - KB2267602 (Version 1.315.681.0)

    Around and around installing an old definition and then the latest definition. Updates are coming directly from Microsoft for these nodes (and not via WSUS/SCCM deployment etc).

    One thing I noticed is that the older definition is "Windows Defender" where the new definition is "Microsoft Defender".

    Bit of a concern as it had put that node into a constant loop within the Cluster Aware Updating cycle (Scanning for updates, Downloading updates, Installing updates) - which means it is out of action for hosting the hundreds of VM's relying on it. After cancelling the cluster aware update run, the constant install loop seems to have stopped and defender is reporting the latest definitions. Update history is blank. If I run a manual update it then downloads the old definition again and the loop begins again (installs old version 3 times and new version 2x). The last version reported in the event logs is the old version, however defender show the new version.

    Not sure that helps - but you are not alone.

    Cheers

    2020년 5월 15일 금요일 오전 1:01
  • Thx.

    For fun, Andrew and Sven-André, do you have APC UPS on these with PowerChute Business Edition installed? It's the *only* non-out-of-box component I really have on this particular server.

    Regards,

    //Aaron

    2020년 5월 15일 금요일 오전 4:13
  • Hi Aaron,

    No - there is no APC software installed (and never has been in this environment).

    Cheers

    2020년 5월 17일 일요일 오후 10:59
  • @Andrew - Thanks for the info. Not sure what else to think here, then.

    @Andy [MSFT] - Is this thread still active on your end? Will you/team be getting back to us?

    2020년 5월 20일 수요일 오후 8:28
  • Any update?
    2020년 5월 27일 수요일 오전 5:51
  • Windows Update offers the old update alongside the current one now. Screen capture:

    2020년 5월 28일 목요일 오후 6:56
  • Hi,

    Try to clear the current cache and trigger an update, use a batch script that runs the following commands as an administrator:
    cd %ProgramFiles%\Windows Defender
    MpCmdRun.exe -removedefinitions -dynamicsignatures
    MpCmdRun.exe -SignatureUpdate

    Best Regards,
    Eve Wang
            

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    2020년 5월 29일 금요일 오전 8:24
  • HI
    5.I agree with Eve Wang .there is the same thread.
    Server 2016, Defender Update KB2267602 install loop
    https://community.spiceworks.com/topic/2245792-server-2016-defender-update-kb2267602-install-loop

    Please note: The given technical support contact information belongs to a third party and may vary without notice. Microsoft does not guarantee the information accuracy.

     

    6.if the problem persist ,I think we can try to download and run wushowhide to hide KB2267602 ,because your issue is "Old Defender definition update keeps installing meanwhile new Defender definition can update fine".

    https://support.microsoft.com/en-us/help/3183922/how-to-temporarily-prevent-a-windows-update-from-reinstalling-in-windo



    Best Regards
    Andy YOU
    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.



    2020년 5월 29일 금요일 오후 2:04
  • To close on this, as much as I'd like to explain things, as a Microsoft alumni I leave it for Microsoft to determine if it wants to disclose the details on what happened. The issue resolved after a recent definition update is as much detail as I'll give - updates are no longer looping, and health reports are accordingly showing things are up to date.

    Regards,

    Aaron


    • 답변으로 표시됨 Aaron Hulett 2020년 8월 1일 토요일 오전 12:01
    • 편집됨 Aaron Hulett 2020년 8월 1일 토요일 오전 12:02 Explain that updates are no longer looping as described in the original issue post.
    2020년 8월 1일 토요일 오전 12:01