?
Solved

Windows Defender stops updating Wsus server

Posted on 2009-04-22
12
Medium Priority
?
935 Views
Last Modified: 2012-05-06
Could someone give an acceptable solution for this issue please. (ID:21843543 )
I have the same problem, updates stopped working after 26/february 2009.  
Our WSUS server is still downloading the latest updates, but the clients are not updating (vista and xp)
Quitting the domain is not an option.
Thanks
0
Comment
Question by:paeep
  • 4
  • 4
  • 2
  • +1
12 Comments
 
LVL 19

Expert Comment

by:lamaslany
ID: 24203068
Are the clients still talking to the WSUS server?  I know that they are not updating but when does WSUS think that the clients last contacted it?

Can you try manually forcing the client(s) to report to WSUS?  Run:  wuauclt /reportnow

Can you try manually forcing the client(s) to scan for updates from WSUS?  Run: wuauclt /detectnow

PS:  I am not 100% sure about the last switch - it might be /scannow...
0
 
LVL 16

Expert Comment

by:warturtle
ID: 24203771
I think it could be a virus that has possibly switched off the automatic updates within the registry. I am going to suggest that you download MalwareBytes Anti-Malware from www.malwarebytes.org and reboot your PC in safe mode and do a quick scan with that. See if it picks up anything.

It should solve the problem at hand (if its really a virus issue), if still observing the problems, then we can look at another tool called ComboFix, the instructions to use ComboFix are here:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

I don't recommend running ComboFix as the first thing though.
0
 

Author Comment

by:paeep
ID: 24204649
A scan with Malwareybytes did not solve the problem.  (We have good virus protection)
All our XP and Vista machines are not updating.
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
LVL 16

Expert Comment

by:warturtle
ID: 24205363
Did you scan in safe mode? Safe mode would normally get more hits as compared to normal mode. I suggest using ComboFix then, more instructions are here:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Download ComboFix and save it with a different name. Reboot a PC in safe mode, then disable your antivirus and firewall and run it. After the scan completes and creates a log, send us that log.
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 24207045
run net stop wuauserv
delete the windowsupdate.log
net start wuauserv
 
and post your windowsupdate.log
 
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 24207109
0
 

Author Comment

by:paeep
ID: 24215319
Hi,
I did the malware scan in Safe mode.
Hereby the windowsupdate.log file.
WindowsUpdate.log
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 24215442
Are you using the windows defender ADM as below?
CLASS MACHINE
 
CATEGORY !!WindowsComponents
	CATEGORY !!AntiSpyware
 
		POLICY !!DisableAntiSpyware
			#IF VERSION >= 5
				SUPPORTED !!WindowsXP
			#ENDIF
			KEYNAME "Software\Policies\Microsoft\Windows Defender"
			EXPLAIN !!DisableAntiSpyware_Explain
			VALUENAME "DisableAntiSpyware"
				VALUEON NUMERIC 1
				VALUEOFF NUMERIC 0
		END POLICY
 
		POLICY !!DisableUnknownRTP
			#IF VERSION >= 5
				SUPPORTED !!WindowsXP
			#ENDIF
			KEYNAME "Software\Policies\Microsoft\Windows Defender\Real-Time Protection"
			EXPLAIN !!DisableUnknownRTP_Explain
			VALUENAME "EnableUnknownPrompts"
				VALUEON NUMERIC 1
				VALUEOFF NUMERIC 0
		END POLICY
		
		POLICY !!CheckForSignaturesBeforeRunningScan
			#IF VERSION >= 5
				SUPPORTED !!WindowsXP
			#ENDIF
			KEYNAME "Software\Policies\Microsoft\Windows Defender\Scan"
			EXPLAIN !!CheckForSignaturesBeforeRunningScan_Explain
			VALUENAME "CheckForSignaturesBeforeRunningScan"
				VALUEON NUMERIC 1
				VALUEOFF NUMERIC 0
		END POLICY
 
		POLICY !!ForceFullUpdate
			#IF VERSION >= 5
				SUPPORTED !!WindowsXP
			#ENDIF
			KEYNAME "Software\Policies\Microsoft\Windows Defender\Signature Updates"
			EXPLAIN !!ForceFullUpdate_Explain
			VALUENAME "ForceFullUpdate"
				VALUEON NUMERIC 1 
				VALUEOFF NUMERIC 0
		END POLICY
 
		POLICY !!EnableLoggingForKnownGood
			#IF VERSION >= 5
				SUPPORTED !!WindowsXP
			#ENDIF
			KEYNAME "Software\Policies\Microsoft\Windows Defender\Reporting"
			EXPLAIN !!EnableLoggingForKnownGood_Explain
			VALUENAME "DisableLoggingForKnownGood"
				VALUEON NUMERIC 0 
				VALUEOFF NUMERIC 1 
		END POLICY
 
		POLICY !!EnableLoggingForUnknown
			#IF VERSION >= 5
				SUPPORTED !!WindowsXP
			#ENDIF
			KEYNAME "Software\Policies\Microsoft\Windows Defender\Reporting"
			EXPLAIN !!EnableLoggingForUnknown_Explain
			VALUENAME "DisableLoggingForUnknown"
				VALUEON NUMERIC 0 
				VALUEOFF NUMERIC 1 
		END POLICY
 
		POLICY !!SpyNetReporting
			#IF VERSION >= 5
				SUPPORTED !!WindowsXP
			#ENDIF
			KEYNAME "Software\Policies\Microsoft\Windows Defender\SpyNet"
			EXPLAIN	!!SpyNetReporting_Explain
			PART !!SpyNetReporting_DropDownList DROPDOWNLIST REQUIRED
	    			VALUENAME "SpyNetReporting"
					ITEMLIST
						NAME !!SpyNetReporting_DropDownList_Disabled	VALUE NUMERIC 0
						NAME !!SpyNetReporting_DropDownList_Basic	VALUE NUMERIC 1
						NAME !!SpyNetReporting_DropDownList_Advanced	VALUE NUMERIC 2
					END ITEMLIST
			END PART
		END POLICY
 
		POLICY !!CheckAlternateDownloadLocation
			#IF VERSION >= 5
				SUPPORTED !!WindowsXP
			#ENDIF
			KEYNAME "Software\Policies\Microsoft\Windows Defender\Signature Updates"
			EXPLAIN !!CheckAlternateDownloadLocation_Explain
			VALUENAME "CheckAlternateDownloadLocation"
				VALUEON NUMERIC 0 
				VALUEOFF NUMERIC 1 
		END POLICY
 
	END CATEGORY
END CATEGORY
[strings]
DisableAntiSpyware="Turn off Windows Defender"
DisableAntiSpyware_Explain="Turns off Windows Defender Real-Time Protection, and no more scans are scheduled.\n\nIf you enable this policy setting, Windows Defender does not run, and computers will not be scanned for spyware or other potentially unwanted software.\n\nIf you disable or do not configure this policy setting, by default Windows Defender runs and computers are scanned for spyware and other potentially unwanted software."
DisableUnknownRTP="Turn off Real-Time Protection Prompts for Unknown Detection"
DisableUnknownRTP_Explain="Turns off Real-Time Protection prompts for unknown detection.\n\nIf you enable this policy setting, Windows Defender does not prompt users to allow or block unknown activity.\n\nIf you disable or do not configure this policy setting, by default Windows Defender prompts users to allow or block unknown activity on the computer."
CheckForSignaturesBeforeRunningScan="Check for New Signatures Before Scheduled Scans"
CheckForSignaturesBeforeRunningScan_Explain="Checks for new signatures before running scheduled scans.\n\nIf you enable this policy setting, the scheduled scan checks for new signatures before it scans the computer.\n\nIf you disable or do not configure this policy setting, the scheduled scan begins without downloading new signatures."
ForceFullUpdate="Download Entire Signature Set"
ForceFullUpdate_Explain="Downloads the full signature set, rather than only the signatures that have been updated since the last signature download. Downloading the full signature set can help troubleshoot problems with signature installations, but because the file is large, it can take longer to download. \n\nIf you enable this policy setting, the full signatures set is downloaded.\n\nIf you disable or do not configure this policy setting, by default only updated signatures are downloaded."
EnableLoggingForKnownGood="Enable Logging Known Good Detections"
EnableLoggingForKnownGood_Explain="Enables logging detection data during Real-time Protection when Windows Defender detects known good files. Logging detections provides you with detailed information about the programs that run on the computers you monitor.\n\nIf you enable this policy setting, known good files are logged.\n\nIf you disable or do not configure this policy setting, by default known good files are not logged.\n\nEnabling this policy setting can result in a greater number of events in the log."
EnableLoggingForUnknown="Enable Logging Unknown Detections"
EnableLoggingForUnknown_Explain="Enables logging detections during Real-time Protection when Windows Defender detects unknown files. Logging detections provides you with detailed information about the programs that run on the computers you monitor.\n\nIf you enable or do not configure this policy setting, by default unknown files are logged.\n\nIf you disable this policy setting, unknown files are not logged.\n\nEnabling this policy setting can result in a greater number of events in the log."
SpyNetReporting="Configure Microsoft SpyNet Reporting"
SpyNetReporting_Explain="Adjusts membership in Microsoft SpyNet.\n\nMicrosoft SpyNet is the online community that helps you choose how to respond to potential spyware threats. The community also helps stop the spread of new spyware infections.\n\nHere's how it works. When Windows Defender detects software or changes by software not yet classified for risks, you see how other members responded to the alert. In turn, the action you apply help other members choose how to respond. Your actions also help Microsoft choose which software to investigate for potential threats. You can choose to send basic or additional information about detected software. Additional information helps improve how Windows Defender works. It can include, for example, the location of detected items on your computer if harmful software has been removed. Windows Defender will automatically collect and send the information.\n\nIf you enable this policy setting and choose "No Membership" from the drop-down list, SpyNet membership will be disabled. At this setting, no information will be sent to Microsoft. You will not be alerted if Windows Defender detects unclassified software running on your computer. Local users will not be able to change their SpyNet membership.\n\nIf you enable this policy setting and choose "Basic" from the drop-down list, SpyNet membership is set to "Basic". At this setting, basic information about the detected items and the actions you apply will be shared with the online community. You will not be alerted if Windows Defender detects software that has not yet been classified for risks.\n\nIf you enable this policy setting and choose "Advanced" from the drop-down list, SpyNet membership is set to "Advanced". At this setting, you send your choices and additional information about detected items. You are alerted so you can take action when Windows Defender detects changes to your computer by unclassified software. Your decisions to allow or block changes help Microsoft create new definitions for Windows Defender and better detect harmful software. In some instances, personal information may be sent but no information is used to contact you.\n\nIf you disable or do not configure this policy setting, by default SpyNet membership is disabled. At this setting, no information will be sent to Microsoft. You will not be alerted if Windows Defender detects unclassified software running on your computer. Local users will still be able to change their SpyNet membership."
SpyNetReporting_DropDownList="Microsoft SpyNet Membership"
SpyNetReporting_DropDownList_Disabled="No Membership"
SpyNetReporting_DropDownList_Basic="Basic"
SpyNetReporting_DropDownList_Advanced="Advanced"
CheckAlternateDownloadLocation="Turn on definition updates through both WSUS and Windows Update"
CheckAlternateDownloadLocation_Explain="This policy setting allows you to configure Windows Defender to check and install definition updates from Windows Update when a locally managed Windows Server Update Services (WSUS) server is not available.\n\nWindows Defender checks for defintion updates using the Automatic Updates client. The Automatic Updates client can be configured to check the public Windows Update Web site or a locally managed WSUS server. When a computer is not able to connect to an internal WSUS server, such as when a portable computer is roaming outside of the corporate network, Windows Defender can be configured to also check Windows Update to ensure definition updates are delivered to these roaming machines.\n\nIf you enable or do not configure this policy setting, by default Windows Defender will check for definition updates from Windows Update, if connections to a locally managed WSUS server fail.\n\nIf you disable this policy setting, Windows Defender will check for definition updates only on a locally managed WSUS server, if the Automatic Updates client is so configured.\n\n"
WindowsXP="Microsoft Windows XP or later"
WindowsComponents="Windows Components"
AntiSpyware="Windows Defender"

Open in new window

0
 

Author Comment

by:paeep
ID: 24215632
I am not using Windows Defender ADM.
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 24215673
Line 120 of the ADM
CheckAlternateDownloadLocation="Turn on definition updates through both WSUS and Windows Update"
 
0
 
LVL 19

Expert Comment

by:lamaslany
ID: 24216282
All our XP and Vista machines are not updating.
But are they still trying to connect?  Not finding updates is not the same as not contacting the server.

0
 

Accepted Solution

by:
paeep earned 0 total points
ID: 24223027
It seems that my wsus server is not downloading the approved updates.
Not only the defender updates are not installing on the clients, but all the approved updates.
I have tried the solutions from ID:17398652.  "wsusutil reset"
Updates are now downloading again.
I hope this solves the issue, now waiting for the result.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are like me and like multiple layers of protection, read on!
What monsters are hiding in your child's room? In this article I will share with you a tech horror story that could happen to anyone, along with some tips on how you can prevent it from happening to you.
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…
Please read the paragraph below before following the instructions in the video — there are important caveats in the paragraph that I did not mention in the video. If your PaperPort 12 or PaperPort 14 is failing to start, or crashing, or hanging, …

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question