none
Windows Defender Updates failing

    Question

  • Hi

    In the last few days, Defender Definition Updates are repeatedly failing on several servers - Server 2008R2/SBS 2011

    Windows Defender

    Event Details:   

    Windows Defender has encountered an error trying to update the engine. New Engine Version:1.1.14600.4 Previous Engine Version:1.1.14500.5 Update Source:User User:NT AUTHORITY\SYSTEM Error Code:0x8050a005 Error description:The program can''t find definition files that help detect unwanted software. Check for updates to the definition files, and then try again. For information on installing updates, see Help and Support.

    Windows Defender

    2001

    3/6/2018 2:30:35 AM

    25

    Event Details:   

    Windows Defender has encountered an error trying to update signatures. New Signature Version:1.263.48.0 Previous Signature Version:1.261.1644.0 Update Source:User Signature Type:AntiSpyware Update Type:Full User:NT AUTHORITY\SYSTEM Current Engine Version:1.1.14600.4 Previous Engine Version:1.1.14500.5 Error code:0x8050a005 Error description:The program can''t find definition files that help detect unwanted software. Check for updates to the definition files, and then try again. For information on installing updates, see Help and Support.

    I have tried Update from Microsoft Update, rather than WSUS, and it still fails with the same issues.

    I have tried the manual update process from https://www.microsoft.com/en-us/wdsi/definitions but that fails in the same way.

    Help, please!

    Thanks

    Jim

    Tuesday, March 6, 2018 9:06 AM

All replies

  • MpSigStub.log

    Start time: 2018-03-06 08:52:57Z
    Process: 446c.1d3b52886245be0
    Command: /stub 1.1.14500.5 /payload 1.263.48.0 /program C:\Windows\SoftwareDistribution\Download\Install\mpas-fe.exe WD /q
    Administrator: yes
    Version: 1.1.14500.5

    ================================ ProductSearch =================================

                   Microsoft Windows Defender (Windows 7):                         
           Status: Active                                                          
      ProductGUID: 925A3ACA-C353-458A-AC8D-A7E5EB378092                            
           Engine: dfab6afec3e9fbc2d5634eb130c2df6dc79e9c26dac62c2c56f5ddd8f549aa29  1.1.14500.5   
      AS base VDM: 3ea71bd47295b2882e0e4fc2a4caff68ecb7fd221099078cc6d6d6fce2dfd31a  1.261.0.0     
      AV base VDM:
     AS delta VDM: d3fcf4df7f40346fed0c41086cc39a2f85b1a00416368ead757495d76594b0d7  1.261.1644.0  
     AV delta VDM:
         Platform: 57b3ffaece3df5e22b6764a95d2b8523aa02cccb4bd0779025c11d02eebf4b1e  6.1.7601.18170

    =============================== PackageDiscovery ===============================

     Package files discovered:
                    Directory: E:\TEMP\{B131F659-2A3F-4EF4-B83A-D35E1E377303}                  
                 mpasbase.vdm: a7109d65f26c0efb301d2f894c4862e6bf109f0fb389d70913a47fd780e1db0b  1.263.0.0  
                 mpasdlta.vdm: f8fba537d923344e2353d46b3482237d6e87e7e4b07f35f77731879e7b97915a  1.263.48.0
                 mpengine.dll: c2cf669da9305da3cc83d3ec269595d69df584836874e7a2c52aeef877291c87  1.1.14600.4
                MPSigStub.exe: 0bb339c22fb53e6bc8f8475590d8549f5432f45cf61337db15d0d2ff552324bb  1.1.14500.5
                   AS FE:      
           Engine: 1.1.14600.4
      AS base VDM: 1.263.0.0   
      AV base VDM: Not included
     AS delta VDM: 1.263.48.0  
     AV delta VDM: Not included

    ==================================== Update ====================================

     Product name: Microsoft Windows Defender (Windows 7)
     Package files:
         Directory: E:\TEMP\{B131F659-2A3F-4EF4-B83A-D35E1E377303}                  
      mpasbase.vdm: a7109d65f26c0efb301d2f894c4862e6bf109f0fb389d70913a47fd780e1db0b  1.263.0.0  
      mpasdlta.vdm: f8fba537d923344e2353d46b3482237d6e87e7e4b07f35f77731879e7b97915a  1.263.48.0
      mpengine.dll: c2cf669da9305da3cc83d3ec269595d69df584836874e7a2c52aeef877291c87  1.1.14600.4
     MPSigStub.exe: 0bb339c22fb53e6bc8f8475590d8549f5432f45cf61337db15d0d2ff552324bb  1.1.14500.5
    ERROR 0x8050a005 : MpUpdateEngine(E:\TEMP\{B131F659-2A3F-4EF4-B83A-D35E1E377303})
    ERROR 0x8050a005 : Failed to update signatures from E:\TEMP\{B131F659-2A3F-4EF4-B83A-D35E1E377303}

    ================================ ValidateUpdate ================================

    mpengine.dll version in package is 1.1.14600.4, but after update machine has older version 1.1.14500.5
    mpasbase.vdm version in package is 1.263.0.0, but after update machine has older version 1.261.0.0
    mpasdlta.vdm version in package is 1.263.48.0, but after update machine has older version 1.261.1644.0
    ERROR 0x8050a005 : One or more of the packages found failed to update for Microsoft Windows Defender (Windows 7).
    ERROR 0x8050a005 : One or more of the products found failed to update; returning this error

                             Watson Report:                          Position:
                    HRESULT: 0x8050a005                              P1       
             FailedFunction: ValidateUpdate                          P2       
                  Operation: N/A                                     P3       
     SourceComponentVersion: 1.1.14500.5                             P4       
        SourceComponentName: mpsigstub.exe                           P5       
             ProductVersion: 6.1.7601.18170                          P6       
                ProductName: Microsoft Windows Defender (Windows 7)  P7       

    ERROR 0x8050a005 : MpSigStubMain
    End time: 2018-03-06 08:53:01Z
    --------------------------------------------------------------------------------

    Tuesday, March 6, 2018 9:23 AM
  • Delete SoftwareDistribution folder and re-check for updates from Microsoft Update still fails with same error code.

    Please advise

    Tuesday, March 6, 2018 2:58 PM
  • Thanks, Dave

    It seems more than a little unlikely to me that several SBS2011 servers on different sites all suddenly have SFC or other system issues.  However, I will do what you suggest on one and see if it makes a difference.

    Jim

    Tuesday, March 6, 2018 3:08 PM
  • SFC /scannow and Checksur are both clean...........
    Tuesday, March 6, 2018 3:46 PM
  • It doesn't look much like an issue unique to SBS to me.  These are not Essentials edition anyway.

    Another post seems to think that the Defender update arrived with an SQL security patch that was loaded. I don't know if that is possible or likely.

    Jim

    Tuesday, March 6, 2018 3:52 PM
  • Bump!
    Wednesday, March 7, 2018 7:04 AM
  • I am seeing something very similar on SBS 2011.

    KB915597 (1.263.176.0 and 1.263.48.0) have been failing since 2nd March. Most recent successful updates were:

    * Security Update for SQL Server 2008 SP4 (KB4057114)

    * Security Update for SQL Server 2008 R2 SP3 (KB4057113)

    Any ideas?

    Event ID 20 in Event Viewer:

    Installation Failure: Windows failed to install the following update with error 0x80070643: Definition Update for Windows Defender - KB915597 (Definition 1.263.176.0).

    • Edited by Bollard Wednesday, March 7, 2018 12:49 PM
    Wednesday, March 7, 2018 12:37 PM
  • I am seeing something very similar on SBS 2011.

    KB915597 (1.263.176.0 and 1.263.48.0) have been failing since 2nd March. Most recent successful updates were:

    * Security Update for SQL Server 2008 SP4 (KB4057114)

    * Security Update for SQL Server 2008 R2 SP3 (KB4057113)

    Any ideas?

    Event ID 20 in Event Viewer:

    Installation Failure: Windows failed to install the following update with error 0x80070643: Definition Update for Windows Defender - KB915597 (Definition 1.263.176.0).

    Same problem here on an SBS2011 machine, all updates (server and clients) deployed via WSUS per default (haven't changed anything ever since initial system setup).

    Windows Defender command line (mpcmdrun -signatureupdate): fails with hr=8050A005
    Update via Windows Update: fails with 8050A005
    Manual download from https://www.microsoft.com/en-us/wdsi/definitions: both mpam-fe.exe and mpas-fe.exe start up (as seen in task manager), do essentially nothing (apart from an hourglass cursor for 2-3 seconds) and then the process ends after ~10 seconds

    The failing Windows Update is KB915597, Definition 1.263.176.0, which appears to be quite old, given that there's already a February update with Definition Version 1.263.265.0, according to aforementioned link.

    What's wrong here?


    • Edited by NRFoFi Wednesday, March 7, 2018 2:05 PM grammar
    Wednesday, March 7, 2018 2:05 PM
  • I see a slightly different error with mpcmdrun:

    C:\Program Files\Windows Defender>mpcmdrun -signatureupdate
    Signature update started . . .
    ERROR: Signature Update failed with hr=80070643


                                                                                  
    Wednesday, March 7, 2018 3:42 PM
  • I see a slightly different error with mpcmdrun:

    C:\Program Files\Windows Defender>mpcmdrun -signatureupdate
    Signature update started . . .
    ERROR: Signature Update failed with hr=80070643


                                                                                  
    I get the same as this
    Wednesday, March 7, 2018 3:50 PM
  • I'm also getting the same (SBS2011). no amount of trying so far with manual update has sorted this. i have the SQL update waiting so i dont think that was the cause for me. the defender update first failed on the 02/03/2018 here. Other updates have installed succesfully since. no shure what to do now!

    Regards,

    John.

    Thursday, March 8, 2018 8:34 AM
  • Hello Microsoft!

    Is someone going to help with this one, please?

    Thanks

    Thursday, March 8, 2018 8:40 AM
  • For me, the previous successful Defender update was

    Definition Update for Windows Defender - KB915597 (Definition 1.261.1644.0)

    Problems then started with:

    Definition Update for Windows Defender - KB915597 (Definition 1.263.48.0)

    Was there some large change in the bump from 1.261.* to 1.263.*...? Anyone from Microsoft able to shed some light?


    • Edited by Bollard Thursday, March 8, 2018 8:57 AM
    Thursday, March 8, 2018 8:55 AM
  • For me, the previous successful Defender update was

    Definition Update for Windows Defender - KB915597 (Definition 1.261.1644.0)

    Problems then started with:

    Definition Update for Windows Defender - KB915597 (Definition 1.263.48.0)

    Was there some large change in the bump from 1.261.* to 1.263.*...? Anyone from Microsoft able to shed some light?


    You're not alone, I'm seeing the same on multiple systems. No resolution thus far.

    MVP-SBS 2001-2011 (retired)

    Thursday, March 8, 2018 2:51 PM
  • So are these failures on the server itself?  Like defender has to be installed on the server for it to get updates... or are you seeing this in WSUS defender approved installs on the workstations?  Not seeing it here (Hi Les!)
    Thursday, March 8, 2018 4:58 PM
  • Yes, self-update on the servers

    Thursday, March 8, 2018 5:15 PM
  • Yes, failures on the (SBS 2011) server itself. Windows 10 clients are fine
    Thursday, March 8, 2018 5:46 PM
  • Yeah ... just reading the events would give the impression that Defender is installed on the servers, but I don't think that's the case. The errors appear to be Malicious Software Removal Tool (MSRT) definition update failures. They were succeeding until 1.263.48.0, that and subsequently 1.263.176.0, have both failed to install.

    It's only on servers, doesn't appear to be WSUS related. I never really understood much value of MSRT anyhow, and I don't know when the name changed. (Hi Susan! :-))


    MVP-SBS 2001-2011 (retired)

    Thursday, March 8, 2018 6:51 PM
  • Defender is certainly installed on the servers I am looking at. It is part of the Desktop Experience Feature.

    You can open the Windows Defender Console and try the update within the GUI, and the error is the same.

    There is no connection with MSRT that I am aware of.

    Thursday, March 8, 2018 6:57 PM
  • What Jim says. My observations were half baked.

    MVP-SBS 2001-2011 (retired)

    Thursday, March 8, 2018 7:17 PM
  • I don't have defender on my SBS 2011 box?  (scratching my head)  Server 2008 R2 doesn't have a/v built in.  Server 2016 does.  Was Microsoft security essentials installed on the server?

    Can you give me a screen shot (sorry trying to find it on my SBS's and I'm not seeing it?)

    Thursday, March 8, 2018 11:33 PM
  • Desktop experience is not default in SBS 2011. Do you know what else needs this installed on your systems?

    (as honey, if something isn't default on SBS 2011 and given it's </cough> support these days, there is little chance I am going to get any support love)

    Thursday, March 8, 2018 11:38 PM
  • Crusty mind recalls installing desktop experience in order to enable cleanup of sxs folders. Perhaps windows defender comes along with that, by default? I don’t remember specifically enabling it, but may have. Only have 3 SBS 2011 left, and they’re all exactly the same. The best solution is probably to simply turn off defender if it’s not going to work.

    MVP-SBS 2001-2011 (retired)

    Friday, March 9, 2018 12:31 AM
  • AHHHHH got it.  That would do it.  It does come along with that. I did not know that so that was interesting to note.  Like Les said, services, Windows defender, shut it off.
    Friday, March 9, 2018 12:52 AM
  • And the answer is... yep, Windows Defender is automatically enabled with desktop experience. So that’s how it got there, and it’s been happily humming along for quite a while. So the answer is likely along the lines of the famous Ray Fong quote circa 2000? “That was never designed to work.” I’ll just be disabling it.

    MVP-SBS 2001-2011 (retired)

    Friday, March 9, 2018 12:55 AM
  • Yes, I also installed Desktop Experience to get Cleanmgr.exe.  Installing the feature also forced the installation of Ink and Handwriting if I remember right.

    I understand what you say (Susan SBS), but this is a security feature and I don't think it's too much to ask for a proper answer from MS.

    Friday, March 9, 2018 6:26 AM
  • It's not a security feature and it's not default to the product.  I apologize if I sound rude, I don't mean to be, but I am realistic about any support on this product.  Small Business Server is in extended support.  Desktop experience was not shipped by default on any Server product and thus not native to server OS.  If you want antivirus, I would go with a third party solution.

    If you want cleanmgr on server the way to do it is just copy the dll files and not put on the entire desktop experience:

    https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ff630161(v=ws.10)  That's the supported way to "install" cleanmgr on Servers.

    Friday, March 9, 2018 6:53 AM
  • V8 to the head.  I know what it is and yes there was a major change in defender

    http://www.sorinmustaca.com/microsoft-takes-on-potentially-unwanted-applications/

    Potentially unwanted applications are now being blocked via defender.

    https://cloudblogs.microsoft.com/microsoftsecure/2018/01/30/protecting-customers-from-being-intimidated-into-making-an-unnecessary-purchase/ 


    Friday, March 9, 2018 7:02 AM
  • Thanks for the explanation, Susan
    Friday, March 9, 2018 7:14 AM
  • Note that just kicked in on March 1st.
    Friday, March 9, 2018 7:22 AM
  • Same Problem here

    and another thread regarding the same Problem here:

    https://social.technet.microsoft.com/Forums/en-US/0d217555-bc18-4cb9-8698-61712450deaf/windows-defender-stopped-updating-sbs2011-wsus-32?forum=smallbusinessserver

    Saturday, March 10, 2018 3:00 PM
  • in the other thread Frank of MS suggested to disable the defender as a solution. erm...

    Disable the service.  Defender is not default on the Server 2008 R2 platform.

    Enabling the "Desktop Experience" Feature is officially possible by just enabling the feature under Windows Server Features. If MS decides do AUTOMATICALLY install the Defender with it, i see MS responsible in supporting this scenario.

    An MS employee suggesting to just disable the Defender, is erm "strange" to say the least....

    If we face problems with Server features in the future, which are not enabled by default, the common solution by MS will be to just disable these fetures..... :-)

    Wednesday, March 14, 2018 1:40 PM
  • Desktop experience is not default on Server.  On a extended support platform your chances of getting this fixed is low.  If you need it fixed, I would open a support case with Microsoft as merely posting in a forum won't be enough to get a fix.
    Wednesday, March 14, 2018 3:46 PM
  • Weirdly, Defender is still Ok on both Storage Server 2008R2 and standard Server 2008R2, both of which are enabled with Desktop Experience.

    Wednesday, March 14, 2018 4:16 PM

  • I am actually getting this very same error on one of our 2008R2 servers and would like to get past this without disabling Defender:

    Windows Update error:

    Installation Failure: Windows failed to install the following update with error 0x80070643: Definition Update for Windows Defender - KB915597 (Definition 1.263.782.0).

    Details from MpSigStub.log:

    ================================ ValidateUpdate ================================

    mpengine.dll version in package is 1.1.14600.4, but after update machine has older version 1.1.14500.5

    mpasbase.vdm version in package is 1.263.0.0, but after update machine has older version 1.261.0.0

    mpasdlta.vdm version in package is 1.263.978.0, but after update machine has older version 1.261.1644.0

    ERROR 0x8050a005 : One or more of the packages found failed to update for Microsoft Windows Defender (Win 7).

    ERROR 0x8050a005 : One or more of the products found failed to update; returning this error

                             Watson Report:                         "margin-bottom:0.0001pt;">                HRESULT: 0x8050a005                             P1      

             FailedFunction: ValidateUpdate                         P2      

                  Operation: N/A                                    P3      

     SourceComponentVersion: 1.1.14500.5                            P4      

        SourceComponentName: mpsigstub.exe                          P5      

             ProductVersion: 6.1.7601.18170                         P6      

                ProductName: Microsoft Windows Defender (Windows 7) P7      

    ERROR 0x8050a005 : MpSigStubMain

    End time: 2018-03-23 12:43:37Z



    Betty Stolwyk

    Friday, March 23, 2018 8:04 PM
  • just a by the by, I don't know if anything will come of this, but I found this on the Microsoft partner support forum:

    Windows Defender Definition updates not installing
    https://partnersupport.microsoft.com/en-us/par_servplat/forum/par_winserv/windows-defender-definition-updates-not-installing/1e3f87ab-9ad0-4e66-bec6-f0eaa0e34ad2?auth=1

    Response: March 20, 2018

    the error code 8050A005 means ERROR_MP_BADDB_NOTSIGNED - seems the issue related to certificates in the trusted roots store, seems the certificate issue causes this signing check failures. And I am now following up with product team to check if there is any further update for this issue. If there is any update, I will post here as soon as I can. Your kindly understanding and patience is much appreciated!


    Betty Stolwyk

    • Proposed as answer by florinho Monday, April 16, 2018 6:27 AM
    Friday, March 23, 2018 9:05 PM
  • I saw the same issue with both Windows Defender and System Center 2012 endpoint protection on windows server 2008 R2.  The link above to https://partnersupport.microsoft.com/en-us/par_servplat/forum/par_winserv/windows-defender-definition-updates-not-installing/1e3f87ab-9ad0-4e66-bec6-f0eaa0e34ad2?auth=1 has been updated and has a fix.  It looks like code signing intermediate certificates were stored in the Trusted Root certificates store and not the Intermediate store.  Moving the certificates solved my issue.
    • Proposed as answer by neil sh Sunday, April 15, 2018 5:24 AM
    Sunday, April 15, 2018 5:24 AM
  • I can vouch for the solution!  It worked for me.  Here is the summary of what I did, following the instructions and advice in the above mentioned link with a couple of my own modifications for more clarity.

    In Powershell:

    1)  Get a list of the relevant certificates

    PS> Get-ChildItem Cert:\LocalMachine\Root -Recurse  | Where-Object { ($_.NotAfter -gt "14 April 2018") -and ($_.Issuer -ne $_.Subject) } | select notafter, subject | sort subject, NotAfter | Format-Table -AutoSize

    My result example:

    NotAfter              Subject
    --------              -------
    9/7/2018 12:58:55 PM  CN=Microsoft Time-Stamp Service, ...
    9/15/2019 2:00:00 AM  CN=Microsoft Timestamping PCA,  ...
    8/31/2020 5:29:32 PM  CN=Microsoft Code Signing PCA,  ...
    4/3/2021 8:03:09 AM   CN=Microsoft Time-Stamp PCA,  ...

       .

        Note: replace "14 April 2018" with current date.  
        You could also create variable PS> $today = Get-Date
         Then replace "14 April 2018" with $today

    .

    2. Open Microsoft Management Console to view certificates

    Open an administrative command prompt and run mmc.exe

    Click on File > Add/Remove Snap-in

    Select Certificates and then click on  Add >, select Computer account > Local computer > Finish > OK

    In left navigation pane, expand Certificates(Local Computer), we will see Trusted Root Certification Authorities and Intermediate Certification Authorities

    Open Trusted Root Certification Authorities\Certificates, look for each certificate listed in the output of previous PowerShell command

    .

    3. Back up certificates

    Select the certificate (you can multi-select if you want)

    Right-click and select All Tasks, then click Export.

    Run the Certificate Export Wizard

     - On the Export Private Key page, select the Yes, export the private key option.

     - On the Export File Format page, select the Personal Information Exchange (.PFX) file format.

     - If "Include all certificates in the certificate path" is enabled, select it

     - Complete the wizard.

    .

    4. Move the certificates to Intermediate Certification Authorities

    Select the certificate again (you can multi-select if you want)

    Right-click and select Cut

    In the left navigation pane, navigate to Intermediate Certification Authorities\Certificates

    Right-click and Paste the certificate(s) there. 

    .

    This link helped me regarding the backup of the certificates:

    http://www.entrust.net/knowledge-base/technote.cfm?tn=8174


    Betty Stolwyk



    • Proposed as answer by Betty B Monday, April 16, 2018 9:07 PM
    • Edited by Betty B Monday, April 16, 2018 9:18 PM
    Monday, April 16, 2018 8:58 PM
  • For me, it wasn't particularly about the signing certificates, but my local (automatically generated, self-signed, OOTB) CA certificate was expired.

    When I renewed it, restarted all services regarding certificate deployment and ran all corresponding tasks from Task Manager manually (mainly to avoid the warnings in the CA MMC Snap-In and Event Log), Windows Defender update was immediately able to update without any problems.

    If anyone needs a detailed explanation, I'll be happy to provide it.

    Monday, April 23, 2018 8:47 AM
  • Hi,

    I'm been having similar issues, MSRT and defender updates seem to be failing on all machines (other updates seem ok)

    The PS command line returned nothing and I can't access the partnersite link mentioned (not a partner)

    I've been looking at my certificates and have only 3 in intermediate and the ones I have in the root the names don't match the post abouve. I have thawte timestamping .

    I do have certs that are expired.  Not really used to having to deal with certs.  Any help would be appreciated.


    Thanks,

    Tuesday, November 20, 2018 11:51 AM
  • Hi KCSP176,  do you see anything similar to this when you look at the Intermediate certificates on a machine that is having the problem with the Windows Defender updates?


    Betty Stolwyk

    Wednesday, November 21, 2018 8:53 PM