Windows Defender stops updating Wsus server

Are the clients still talking to the WSUS server?  I know that they are not updating but when does WSUS think that the clients last contacted it?

Can you try manually forcing the client(s) to report to WSUS?  Run:  wuauclt /reportnow

Can you try manually forcing the client(s) to scan for updates from WSUS?  Run: wuauclt /detectnow

PS:  I am not 100% sure about the last switch - it might be /scannow...

I think it could be a virus that has possibly switched off the automatic updates within the registry. I am going to suggest that you download MalwareBytes Anti-Malware from www.malwarebytes.org and reboot your PC in safe mode and do a quick scan with that. See if it picks up anything.

It should solve the problem at hand (if its really a virus issue), if still observing the problems, then we can look at another tool called ComboFix, the instructions to use ComboFix are here:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

I don't recommend running ComboFix as the first thing though.

A scan with Malwareybytes did not solve the problem.  (We have good virus protection)
All our XP and Vista machines are not updating.

Did you scan in safe mode? Safe mode would normally get more hits as compared to normal mode. I suggest using ComboFix then, more instructions are here:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Download ComboFix and save it with a different name. Reboot a PC in safe mode, then disable your antivirus and firewall and run it. After the scan completes and creates a log, send us that log.

run net stop wuauserv
delete the windowsupdate.log
net start wuauserv
 
and post your windowsupdate.log
 

Also, are you using the "Windows Defender ADM" ?
Description of the Windows Defender Group Policy administrative template settings

Hi,
I did the malware scan in Safe mode.
Hereby the windowsupdate.log file.
WindowsUpdate.log

Are you using the windows defender ADM as below?

CLASS MACHINE
 
CATEGORY !!WindowsComponents
	CATEGORY !!AntiSpyware
 
		POLICY !!DisableAntiSpyware
			#IF VERSION >= 5
				SUPPORTED !!WindowsXP
			#ENDIF
			KEYNAME "Software\Policies\Microsoft\Windows Defender"
			EXPLAIN !!DisableAntiSpyware_Explain
			VALUENAME "DisableAntiSpyware"
				VALUEON NUMERIC 1
				VALUEOFF NUMERIC 0
		END POLICY
 
		POLICY !!DisableUnknownRTP
			#IF VERSION >= 5
				SUPPORTED !!WindowsXP
			#ENDIF
			KEYNAME "Software\Policies\Microsoft\Windows Defender\Real-Time Protection"
			EXPLAIN !!DisableUnknownRTP_Explain
			VALUENAME "EnableUnknownPrompts"
				VALUEON NUMERIC 1
				VALUEOFF NUMERIC 0
		END POLICY
		
		POLICY !!CheckForSignaturesBeforeRunningScan
			#IF VERSION >= 5
				SUPPORTED !!WindowsXP
			#ENDIF
			KEYNAME "Software\Policies\Microsoft\Windows Defender\Scan"
			EXPLAIN !!CheckForSignaturesBeforeRunningScan_Explain
			VALUENAME "CheckForSignaturesBeforeRunningScan"
				VALUEON NUMERIC 1
				VALUEOFF NUMERIC 0
		END POLICY
 
		POLICY !!ForceFullUpdate
			#IF VERSION >= 5
				SUPPORTED !!WindowsXP
			#ENDIF
			KEYNAME "Software\Policies\Microsoft\Windows Defender\Signature Updates"
			EXPLAIN !!ForceFullUpdate_Explain
			VALUENAME "ForceFullUpdate"
				VALUEON NUMERIC 1 
				VALUEOFF NUMERIC 0
		END POLICY
 
		POLICY !!EnableLoggingForKnownGood
			#IF VERSION >= 5
				SUPPORTED !!WindowsXP
			#ENDIF
			KEYNAME "Software\Policies\Microsoft\Windows Defender\Reporting"
			EXPLAIN !!EnableLoggingForKnownGood_Explain
			VALUENAME "DisableLoggingForKnownGood"
				VALUEON NUMERIC 0 
				VALUEOFF NUMERIC 1 
		END POLICY
 
		POLICY !!EnableLoggingForUnknown
			#IF VERSION >= 5
				SUPPORTED !!WindowsXP
			#ENDIF
			KEYNAME "Software\Policies\Microsoft\Windows Defender\Reporting"
			EXPLAIN !!EnableLoggingForUnknown_Explain
			VALUENAME "DisableLoggingForUnknown"
				VALUEON NUMERIC 0 
				VALUEOFF NUMERIC 1 
		END POLICY
 
		POLICY !!SpyNetReporting
			#IF VERSION >= 5
				SUPPORTED !!WindowsXP
			#ENDIF
			KEYNAME "Software\Policies\Microsoft\Windows Defender\SpyNet"
			EXPLAIN	!!SpyNetReporting_Explain
			PART !!SpyNetReporting_DropDownList DROPDOWNLIST REQUIRED
	    			VALUENAME "SpyNetReporting"
					ITEMLIST
						NAME !!SpyNetReporting_DropDownList_Disabled	VALUE NUMERIC 0
						NAME !!SpyNetReporting_DropDownList_Basic	VALUE NUMERIC 1
						NAME !!SpyNetReporting_DropDownList_Advanced	VALUE NUMERIC 2
					END ITEMLIST
			END PART
		END POLICY
 
		POLICY !!CheckAlternateDownloadLocation
			#IF VERSION >= 5
				SUPPORTED !!WindowsXP
			#ENDIF
			KEYNAME "Software\Policies\Microsoft\Windows Defender\Signature Updates"
			EXPLAIN !!CheckAlternateDownloadLocation_Explain
			VALUENAME "CheckAlternateDownloadLocation"
				VALUEON NUMERIC 0 
				VALUEOFF NUMERIC 1 
		END POLICY
 
	END CATEGORY
END CATEGORY
[strings]
DisableAntiSpyware="Turn off Windows Defender"
DisableAntiSpyware_Explain="Turns off Windows Defender Real-Time Protection, and no more scans are scheduled.\n\nIf you enable this policy setting, Windows Defender does not run, and computers will not be scanned for spyware or other potentially unwanted software.\n\nIf you disable or do not configure this policy setting, by default Windows Defender runs and computers are scanned for spyware and other potentially unwanted software."
DisableUnknownRTP="Turn off Real-Time Protection Prompts for Unknown Detection"
DisableUnknownRTP_Explain="Turns off Real-Time Protection prompts for unknown detection.\n\nIf you enable this policy setting, Windows Defender does not prompt users to allow or block unknown activity.\n\nIf you disable or do not configure this policy setting, by default Windows Defender prompts users to allow or block unknown activity on the computer."
CheckForSignaturesBeforeRunningScan="Check for New Signatures Before Scheduled Scans"
CheckForSignaturesBeforeRunningScan_Explain="Checks for new signatures before running scheduled scans.\n\nIf you enable this policy setting, the scheduled scan checks for new signatures before it scans the computer.\n\nIf you disable or do not configure this policy setting, the scheduled scan begins without downloading new signatures."
ForceFullUpdate="Download Entire Signature Set"
ForceFullUpdate_Explain="Downloads the full signature set, rather than only the signatures that have been updated since the last signature download. Downloading the full signature set can help troubleshoot problems with signature installations, but because the file is large, it can take longer to download. \n\nIf you enable this policy setting, the full signatures set is downloaded.\n\nIf you disable or do not configure this policy setting, by default only updated signatures are downloaded."
EnableLoggingForKnownGood="Enable Logging Known Good Detections"
EnableLoggingForKnownGood_Explain="Enables logging detection data during Real-time Protection when Windows Defender detects known good files. Logging detections provides you with detailed information about the programs that run on the computers you monitor.\n\nIf you enable this policy setting, known good files are logged.\n\nIf you disable or do not configure this policy setting, by default known good files are not logged.\n\nEnabling this policy setting can result in a greater number of events in the log."
EnableLoggingForUnknown="Enable Logging Unknown Detections"
EnableLoggingForUnknown_Explain="Enables logging detections during Real-time Protection when Windows Defender detects unknown files. Logging detections provides you with detailed information about the programs that run on the computers you monitor.\n\nIf you enable or do not configure this policy setting, by default unknown files are logged.\n\nIf you disable this policy setting, unknown files are not logged.\n\nEnabling this policy setting can result in a greater number of events in the log."
SpyNetReporting="Configure Microsoft SpyNet Reporting"
SpyNetReporting_Explain="Adjusts membership in Microsoft SpyNet.\n\nMicrosoft SpyNet is the online community that helps you choose how to respond to potential spyware threats. The community also helps stop the spread of new spyware infections.\n\nHere's how it works. When Windows Defender detects software or changes by software not yet classified for risks, you see how other members responded to the alert. In turn, the action you apply help other members choose how to respond. Your actions also help Microsoft choose which software to investigate for potential threats. You can choose to send basic or additional information about detected software. Additional information helps improve how Windows Defender works. It can include, for example, the location of detected items on your computer if harmful software has been removed. Windows Defender will automatically collect and send the information.\n\nIf you enable this policy setting and choose "No Membership" from the drop-down list, SpyNet membership will be disabled. At this setting, no information will be sent to Microsoft. You will not be alerted if Windows Defender detects unclassified software running on your computer. Local users will not be able to change their SpyNet membership.\n\nIf you enable this policy setting and choose "Basic" from the drop-down list, SpyNet membership is set to "Basic". At this setting, basic information about the detected items and the actions you apply will be shared with the online community. You will not be alerted if Windows Defender detects software that has not yet been classified for risks.\n\nIf you enable this policy setting and choose "Advanced" from the drop-down list, SpyNet membership is set to "Advanced". At this setting, you send your choices and additional information about detected items. You are alerted so you can take action when Windows Defender detects changes to your computer by unclassified software. Your decisions to allow or block changes help Microsoft create new definitions for Windows Defender and better detect harmful software. In some instances, personal information may be sent but no information is used to contact you.\n\nIf you disable or do not configure this policy setting, by default SpyNet membership is disabled. At this setting, no information will be sent to Microsoft. You will not be alerted if Windows Defender detects unclassified software running on your computer. Local users will still be able to change their SpyNet membership."
SpyNetReporting_DropDownList="Microsoft SpyNet Membership"
SpyNetReporting_DropDownList_Disabled="No Membership"
SpyNetReporting_DropDownList_Basic="Basic"
SpyNetReporting_DropDownList_Advanced="Advanced"
CheckAlternateDownloadLocation="Turn on definition updates through both WSUS and Windows Update"
CheckAlternateDownloadLocation_Explain="This policy setting allows you to configure Windows Defender to check and install definition updates from Windows Update when a locally managed Windows Server Update Services (WSUS) server is not available.\n\nWindows Defender checks for defintion updates using the Automatic Updates client. The Automatic Updates client can be configured to check the public Windows Update Web site or a locally managed WSUS server. When a computer is not able to connect to an internal WSUS server, such as when a portable computer is roaming outside of the corporate network, Windows Defender can be configured to also check Windows Update to ensure definition updates are delivered to these roaming machines.\n\nIf you enable or do not configure this policy setting, by default Windows Defender will check for definition updates from Windows Update, if connections to a locally managed WSUS server fail.\n\nIf you disable this policy setting, Windows Defender will check for definition updates only on a locally managed WSUS server, if the Automatic Updates client is so configured.\n\n"
WindowsXP="Microsoft Windows XP or later"
WindowsComponents="Windows Components"
AntiSpyware="Windows Defender"

Select allOpen in new window

I am not using Windows Defender ADM.

Line 120 of the ADM
CheckAlternateDownloadLocation="Turn on definition updates through both WSUS and Windows Update"
 

All our XP and Vista machines are not updating.
But are they still trying to connect?  Not finding updates is not the same as not contacting the server.