Using WSUS to deploy Windows Defender definition updates started to fail on Win10

Hi experts.

I am only looking for confirmation, so if you don't even use WSUS to deploy windows defender definition updates, please don't participate.

The last update that succeeded was on friday, march 31st: 1.239.494.0
All newer ones fail to install only on win10. The updates still work on win2016 and on win8.1.

Please confirm.
Versions: Win10 v1607, WSUS on server 2012 R2, updated.
Error: "Definition Update for Windows Defender - KB2267602 (Definition 1.239.677.0) - Error 0x80070643"
LVL 62
McKnifeAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JohnBusiness Consultant (Owner)Commented:
I got that precise error (not using WSUS) on Windows 10 1607 14393.969 this weekend AND on Windows 10 Insider Preview. Two different machines.

It appears to be a Microsoft issue.

On the Windows Insider machine, I deleted the registry key (per Microsoft Blog notes) to permit new builds to update but that did not fix Defender.

I won't get back to it until tonight to start up the Insider machine and check.

I do not think it is a WSUS issue.
0
Shaun VermaakTechnical Specialist IVCommented:
On one of these computers click "Check Online" or download definition manual as a test, please
0
JohnBusiness Consultant (Owner)Commented:
I did that on two machines (above) during this weekend (after Friday) and that did not work.
0
Protecting & Securing Your Critical Data

Considering 93 percent of companies file for bankruptcy within 12 months of a disaster that blocked access to their data for 10 days or more, planning for the worst is just smart business. Learn how Acronis Backup integrates security at every stage

McKnifeAuthor Commented:
Hi.

I know that the updates had problems. I am trying to find out if it still has problems. We have no direct online connection for the clients, Shaun. So I won't be able and won't need to test the online connection. Just looking for confirmation by someone else that uses WSUS to distribute those updates.
0
JohnBusiness Consultant (Owner)Commented:
I have tried several solutions from the Microsoft Blog, and I have a good sturdy connection. I will try again this evening while you await someone with the same issue who uses WSUS.  

The actual error message is an installation error, not a download error.
0
McKnifeAuthor Commented:
"The actual error message is an installation error, not a download error." - that is correct.
I had already tried and downloaded the standalone installer from http://go.microsoft.com/fwlink/?LinkID=121721&arch=x64 - that works. So definitely the packages on the wsus server are the problem. I only wonder why it would work on win8.1, because those packages should be identical for those 2 OS'.
0
JohnBusiness Consultant (Owner)Commented:
I don't have Windows 8.1 any more (even virtual). I understand about the identical packages. I am continuing to look for a reason to try to help.

I will try your link this evening to see if that works. Thank you for that.

The error is affecting machines beyond WSUS as well.
0
McKnifeAuthor Commented:
Removing HKLM\SOFTWARE\Microsoft\MpSigStub from the clients solved the problem. I read that on technet and I asked over there why that would be considered in the first place. Will update this.
1
Shaun VermaakTechnical Specialist IVCommented:
Maybe you saw this explanation but it makes sense

https://answers.microsoft.com/en-us/protect/forum/protect_defender-protect_updating/windows-defender-update-failing/8921304f-b710-4180-91e4-44f38b3a819e?page=4
I guess the error is related to DropLocation mentioned in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MpSigStub. Some kind problem was there with accessing that folder (or files in that folder). That's why deleting that folder may have worked. Generally, this folder is created while updating and deleted afterwards, created again when updating again and then deleted. But, maybe something prevented it from getting deleted (Tuesday updates?). Phew! Tough task to guess. But good news is that clearing Temp is working. :-)
If error happens again, try clearing Temp once more. Observe it for some days. If error occurs repeatedly then upload MpCmdRun.log and MpSigStub.log on OneDrive and post links here.
0
JohnBusiness Consultant (Owner)Commented:
Did your solution or Shaun's solution permanently solve your issue?

Defender has turned into a big problem for Microsoft. It continues (after the fixes above) not to be working for me or many other persons.

I stuck this in Windows Insider Feedback Hub and got more up votes in 60 minutes than in the past two weeks.
0
McKnifeAuthor Commented:
Yes, deleting that registry key has solved it - will make sure to double check if it hasn't returned for some only.
0
McKnifeAuthor Commented:
I object to my own request for closure. It is not solved but the issue is reappearing for some, so deleting the registry key needs to be repeated and therefore it cannot be called a solution but only a temporary fix.

By this time, I have found two win8.1 stations that also had that problem, so it's not win10 exclusive after all, it's just that we have much more 10 compared to 8.1.

Open for new info on the matter.
0
JohnBusiness Consultant (Owner)Commented:
Microsoft is definitely aware of the issue and last night (my time) it was still not fixed. I am fairly sure it is not a WSUS issue (or at the least broader than WSUS).

When will they fix it?  April 11 Patch Tuesday ?   I am not sure (no information posted).
0
Shaun VermaakTechnical Specialist IVCommented:
I would create a GPO with WMI day filter (say Mondays) and just delete the key automatically
0
McKnifeAuthor Commented:
"I would create a GPO with WMI day filter (say Mondays) and just delete the key automatically" - We use a scheduled task that does it daily.
"...it is not a WSUS issue (or at the least broader than WSUS). " - could be.
1
JohnBusiness Consultant (Owner)Commented:
I took a client machine just now that is Windows 10 Pro and runs Symantec Endpoint Protection. I enabled Windows Defender (but not Real Time), updated and restart and Windows Defender downloaded and installed!

I then took my own business X1 Laptop (Windows 10 Pro Symantec Endpoint Protection) and enabled Windows Defender. It updated and installed.

This is two machine and just this morning, but it does look like Microsoft has put in a fix. All normal so far as I can see.
0
McKnifeAuthor Commented:
Look, it's not sure. Monday, our WSUS reported 45 machines as having update problems - all were windows defender. Then I deployed the "fix" that deleted that registry key and it worked anywhere. Now it returned but not everywhere. Still, 10 machines have that problem as of now (with the newest updates). I know I can fix it again the same way, but I will wait for a Microsoft statement.
0
JohnBusiness Consultant (Owner)Commented:
Monday and Tuesday Defender was not installing. Today Wednesday it is smoothly installing.

I did not apply any fixes above to the two machines that are now working.

Yes, I know that two machines does not make it conclusive at all. But no fixes and it starts working is at least a very positive sign.
0
JohnBusiness Consultant (Owner)Commented:
I just fired up my X230 Windows 10 Insider laptop (15063) and Defender installed and started working normally. 2 updates on my X1 Carbon today.

So all machines we have are working as of today, no registry changes.
0
JohnBusiness Consultant (Owner)Commented:
I did find a reasonably conclusive post that this was all a Microsoft issue.

https://answers.microsoft.com/en-us/protect/forum/protect_defender-protect_updating/on-windows-defender-definition-update-error/26689087-6b72-4d25-b31a-bc85a8f13d3e

There is a fix there if you need it. None of the machines I worked on needed the fix and all are updating properly
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
McKnifeAuthor Commented:
It seems you found just the right thread which confirms it and confirms it's been fixed by now. Will keep an eye on WSUS statistics.
0
McKnifeAuthor Commented:
Updating is back to normal. It seems John has found just the right thread and MS has fixed it. The workaround, to delete the registry key mpsigstub is worth noting.
Thanks all.
0
JohnBusiness Consultant (Owner)Commented:
You are very welcome. All is now well with Defender. I do not know why it took Microsoft 5 days to fix it
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 10

From novice to tech pro — start learning today.